A financial services company with operations in the UK, USA and Middle East breached the Data Protection Act by losing over 600 customers’ personal details, the Information Commissioner’s Office (ICO) said in February.
E*Trade Securities Ltd discovered that a large number of customer files were missing in April 2010 when they were asked to retrieve archived documents held in a storage facility in the UK. Files containing 608 customers’ personal data remain missing, most of the files included identification documents, proof of address and account application forms.
The company informed the ICO about the breach in December 2010 after all attempts to find the information had failed. Initial enquiries found that E*Trade Securities Ltd did not have a formal agreement in place with the contractor responsible for securely storing their client data.
The company has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.
Head of Enforcement, Steve Eckersley, said: “This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure. The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”
Meanwhile the ICO has served monetary penalties totalling £180,000 to two councils for failing to keep highly sensitive information about the welfare of children secure. These latest penalties bring the total amount served by the ICO to organisations found in serious breach of the Data Protection Act to over one million pounds.
Croydon Council has been handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. Norfolk County Council has been served with an £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
Stephen Eckersley, Head of Enforcement said: “We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.
“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training. While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”
The Croydon Council breach – which happened in April 2011 – occurred when an unlocked bag belonging to a social worker was stolen from a London pub. The worker was taking papers, including information about the sexual abuse of a child and six other people connected to a court hearing, home for use at a meeting the following day. The bag and its contents have never been recovered.
The ICO found that while Croydon Council did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood. The council’s policy on data security was also inadequate and did not stipulate how sensitive information should be kept secure when taken outside of the office.
The Norfolk County Council breach – also in April 2011 – happened when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next door neighbour. The report contained confidential and highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information.
The ICO found that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed. The council also did not have a peer-checking process to ensure that sensitive information was being sent to the correct recipient.
Both councils have taken remedial action as a result of the breaches and will now ensure that effective data protection measures are put in place.
And five councils breached the Data Protection Act by failing to keep people’s personal information secure, Information Commissioner, Christopher Graham, said today.
Information Commissioner, Christopher Graham said: “At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty. We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”
The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
* Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing. The Council has now signed an undertaking committing them to take action to address the problems highlighted in each incident. This includes introducing appropriate checks to make sure personal information is handled in compliance with the Act.
* Meanwhile, in July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personal data to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.
* Further undertakings have also been signed by Dacorum Borough Council, Bolton Council and Craven District Council, whilst an enforcement notice has been issued to Staffordshire County Council over its mishandling of a subject access request.
As well as the five local authorities, undertakings for youth charity Fairbridge and healthcare provider Turning Point have also been published.
