Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Ken Macdonald

Rubbish causes a breach of the Data Protection Act and a £250,000 fine

Scottish Borders Council employed an outside company to digitise their employee records but when the pension records of several hundred ex-employees were found in recycling bins the Information Commission’s Office began an investigation for a breach of the Data Protection Act.

Following the investigation the Information Commissioner has fined the Council £250,000 for not seeking appropriate guarantees on how the personal data would be kept secured and dealt with.

It is believed more than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.

Ken Macdonald, ICO Assistant Commissioner for Scotland, said:

“This is a classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place.

“It is only good fortune that these records were found by someone sensible enough to call the police. It is easy to imagine other circumstances where this information could have exposed people to identity fraud and possible financial loss through no fault of their own.

“If one positive can come out of this, it is that other organisations realise the importance of properly managing third parties who process personal data. The Data Protection Act is very clear where the responsibility for the security of that information remains, and what penalties await those who do not comply with the law.”

Who else has the information commissioner caught this year? Find out here.

.

E*Trade Securities Ltd falls foul of the ICO after losing customer records

In April 2010 E*Trade Securities Ltd discovered that 608 customer records were lost at a UK based storage facility and despite an investigate were unable to recover the records.

E*Trade Securities Ltd did not have a formal agreement to store the customer information securely and subsequently informed Information Commissioner’s office in December 2010.

E*Trade Securities Ltd has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.

Head of Enforcement, Steve Eckersley, said:

“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. 

“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”

.

Council fined £140,000 for five serious data breaches

The five serious data breaches – all involving children’s social service reports being sent to the wrong recipients – happened at Midlothian Council and occurred between January and June 2011.

  • One breach concerned papers concerned with the status of a foster carer being sent to 7 healthcare professionals who had no need to see them
  • Another case was of the minutes of a child protection conference being sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother

The first breach occurred in January 2011 but did not come to light until March

Ken Macdonald, Assistant Commissioner for Scotland said:

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.   

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date.

.

QC has unencrypted laptop stolen and is sanctioned by the ICO

The Information Commissioner’s Office has reported on the case of a Scottish Advocate having an unencrypted laptop stolen.

The laptop was stolen from the home of Ruth Crawford QC in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the advocate had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. The device has not been recovered; however, most of the information compromised would already have been released as evidence in court papers.

The breach was only reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that, whilst Ms Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

The QC has now agreed to put the necessary changes in place to ensure this type of incident does not happen again. This includes locking away any personal information stored at her home and following any future data protection guidance issued by the Faculty of Advocates or her stable.

Ken Macdonald, Assistant Commissioner for Scotland said:

The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 – it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.” 

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: