ICO investigates Council after records dumped in skip

The Information Commissioner’s Office (ICO) has investigated Wolverhampton City Council after personal information, including sensitive data, was found in a skip.

The case came to the attention of the ICO in October 2010 when a local newspaper reported that council documents containing names, dates of birth, bank details, employment records and medical information had been dumped in a skip at a community leisure centre. The skip was subsequently stolen and the documents in it discarded

Following investigation by the ICO, it was established that the council did have a written contract in place with a waste management company for the appropriate disposal of personal data; however, council employees had failed to recognise the confidential nature of the information when it was disposed of.

The Chief Executive of Wolverhampton City Council has signed an undertaking with the ICO agreeing to ensure that employees are made aware of Council data protection and confidential waste management policies including how to comply with such policies.  The council has also agreed to regularly monitor compliance with the policies.

Personal data of 10,000 individuals sent to wrong email address

Gwent Police have been investigated by the Information Commissioner’s Office (ICO) for a data breach involving the personal data of 10,000 individuals.

An employee of Gwent police emailed a spreadsheet containing the criminal records bureau enquiries of 10,000 individuals to a journalist by mistake. The name of the journalist was populated automatically in the system as the name was similar to one of the staff members to whom the spreadsheet was to be emailed. 863 of the records indicated that personal data was recorded but no information about the nature of the criminal records was included in the spreadsheet and no personal data was identifiable.

An investigation by Gwent police found that the staff member had failed to follow the IT policy of not sharing personal information if it is not necessary and using passwords when transmitting personal data.

Gwent police have signed a formal undertaking with the ICO agreeing to implement a number of measures to prevent such breaches occurring in future including:

• Technological measures to prevent inappropriate auto completion of addresses in internal and external email accounts;
• Technological measures which will enforce the marking of documents which are intend for transmission by email;
• Where there is a real need for sensitive personal data to be shared, direct and secure access to the database concerned should be used and if there is no option but to send the data by email, only the absolute minimum amount of identifiable data is to be sent via a secure email account;
• The prohibition of generic passwords; and
• Staff shall be made aware of the force’s restriction on the use of sensitive personal data.

ICO issues more fines for unencrypted laptops

The Information Commissioner (ICO) has fined both Ealing and Hounslow Councils for failing to encrypt laptops used by home workers which contained personal data.

Ealing Council operates an out of hour’s service on behalf of both itself and Hounslow council, which is supported by nine home workers. The home workers are issued laptops from Ealing council to carry out their work which involves recording personal data of clients who use the service. Two laptops, which contained personal data of 1,700 individuals (1,000 pertaining to Ealing Council and 700 to Hounslow Council), were stolen from the home of one of the home workers.

The laptops were password protected but they were unencrypted which is in breach of both council’s policies. Although there is no evidence to suggest that any of the data has been used inappropriately, the ICO viewed this breach as a significant threat to the privacy of the clients.

Ealing Council was fined £80,000 for issuing an unencrypted laptop in beach of its own policy whilst £70,000 was deemed appropriate for Hounslow Council for failing to have a written contract in place with Ealing Council.

The affected individuals were contacted following the breach.

These recent fines bring the total number of monetary penalties issued by the ICO using his new powers to four, three of these being for unencrypted laptops. It is important for organisations to note that password protection is not considered sufficient to protect personal data held on laptops or indeed other mobile media devices.

Information Commissioner issues first monetary penalties

The Information Commissioner (ICO) has exercised his new fining power which came into effect on 6th April this year. The power allows the ICO to levy monetary penalties of up to half a million pounds against organisations found to have seriously breached the Data Protection Act.

The first fines are both for security breaches, one being for two misdirected faxes containing sensitive personal data the other for a stolen, unencrypted laptop containing 24,000 records of sensitive personal data.

Misdirected faxes

This case involved two separate incidents whereby employees of Herefordshire County Council (Council) had sent faxes to the incorrect recipient. One contained information about child care proceedings and the other concerned a child sex abuse case which was before the court.  The Council reported both breaches to the ICO who found that, taking into account the damage and distress which could have been caused to the individuals’ concerned, the Council’s procedures did not prevent such serious breaches from occurring. The ICO issued a fine of £100,000 for these breaches.

Stolen unencrypted laptop

In this case, an employee of an employment services company lost an unencrypted laptop which contained 24,000 records of people who had used community legal advice in Leicester and Hull. The laptop was issued to an employee for the purposes of home working but was stolen from the employee’s home. The company informed the ICO of the theft and also informed the individuals whose data could have been accessed. A fine of £60,000 was levied on the company for not taking adequate steps to protect the personal information held on the laptop despite being aware of the distress such information could have caused the individuals concerned if it was inappropriately disclosed.

Council discloses personal data inappropriately

Portsmouth City Council, when responding to a subject access request, provided sensitive health information about another individual to the requestor.

Under data protection laws, individuals have a right to request companies and organisations to see all personal data held about them. In responding to such requests, companies and organisations must ensure that any information relating to anyone other then the requesting party is not disclosed by redacting this information.

This process was not carried out by Portsmouth City Council which resulted in information about the health of a third party being disclosed to the requesting individual.

The Council informed the Information Commissioner’s Office (“ICO”) of this error and the ICO carried out an investigation which found that the individual who carried out the subject access request was neither an employee of the council nor contracted to provide such services to the Council. The training provided about how to deal with subject access requests was found to be inadequate and the Council has entered a formal undertaking with the ICO.

Through the undertaking, the Council agrees to ensure that all relevant staff are  fully trained in how to handle subject access requests and that checks are put in place to ensure that third-party data is dealt with in accordance with the Data Protection Act. The Council has also agreed that in future, any individuals tasked with redacting material from subject access requests will either be employed by the Council directly, or otherwise enter into a formal contract to provide this service

NHS Trust Breaches Data Protection Act

The Information Commissioner’s Office (“ICO”) has recently found the East and North Hertfordshire NHS Trust (“Trust”) to be in breach of the Data Protection Act following a security breach whereby an unencrypted USB stick containing patient’ medical data was lost on a train.

A junior doctor downloaded the information in preparation for a shift handover but inadvertently took the data stick home with him. The stick was unfortunately lost on a train and has not yet been recovered.

Investigations by the ICO found that the junior doctor was not able to access the Trust policies on data protection and that the Trust did not have clear policies on the use of mobile media devices. An undertaking has been entered between the ICO and the Trust in which the Trust agrees to implement clear policies on the use of mobile media devices, train all staff who have access to personal data on such policies and monitor compliance with the security policies to prevent such an event occurring in future.

New Fines for Data Protection Breaches

Since 6th April this year, the Information Commissioner has had the power to fine organisations for significant breaches of the data protection act. Prior to this, the Information Commissioner did not have the power to impose fines on organisations and had to use the other enforcement powers available to him. This is a significant development for the enforcement of data protection laws in the UK and the maximum fine is £500,000 per breach.

This new power has focussed the attention of many companies on the status of their data protection compliance.

Although the new power has not been exercised yet, the first fines are very likely to be for a data security breach such as the loss of an unencrypted USB stick or CD Rom containing personal data. Although security breaches tend to be one of the main breaches against which we have seen the Information Commissioner take enforcement action over the past two years, it is important for companies to be aware of the fact that breaches of any of the other data protection principles can give rise to fines if the breach could or does harm a individual.

The recent enforcement action consists mainly of undertakings entered between the Information Commissioner and the company in breach.