ICO obtains undertakings following accidental breaches

Updated October 2011

The Information Commissioner's Office (ICO) has recently secured a number of undertakings in relation to breach of the seventh data protection principle. This principle, set out in the Data Protection Act 1998 (the Act), states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data." The undertakings set out below relate to the accidental loss of personal data that could affect any business if the correct procedures are not followed. Incidents such as these may arise where there is no appropriate data protection policy or due to staff or contractors not following the organisation's policies. 

One local authority has given an undertaking to comply with the seventh data protection principle following the accidental disposal of hundreds of residents' postal votes in a skip. The votes, which were dumped by one of the Council's contractors, included names, addresses, dates of birth and signatures. In breach of the Act, the Council did not have a written agreement in place with the contractor processing the personal data. The Council also failed to provide the data processor with instructions as to how the information should be kept secure. The ICO stated that "whilst Councils can hire contractors to process personal information on their behalf, they must remember that they are still ultimately responsible for ensuring people's information is kept secure."

A further undertaking to comply with the seventh data protection principle has been signed by another local authority. The undertaking was given after the Council self reported a flaw in the encryption of a number of Council-issued memory sticks. The flaw permitted the memory sticks to be reformatted with the encryption protection removed. Upon discovering the flaw during a recall of old devices, the Council took appropriate remedial action and acceptable auditing and security of the devices was re-established. The Information Commissioner obtained undertakings from the Council that, amongst other things:

• portable devices are encrypted to the required standards;
• staff are appropriately trained;
• a detailed audit trail of portable devices is maintained;
• a policy for removal of portable devices from work premises is introduced; and
• appropriate security measures are implemented.

An undertaking to comply with the seventh data protection principle has also been signed by the Scottish Children’s Reporter Administration (SCRA). The undertaking was given following two incidents where the SCRA failed to keep sensitive information about the welfare of young people secure. In the first incident, nine case files on the safety and welfare of identifiable children were accidentally left in a filing cabinet and removed as part of an office refurbishment. The cabinet was then sold in a second hand furniture shop and the buyer returned the files. In another incident, sensitive documentation relating to a child's court hearing was sent to the wrong email address - an unknown third party. The Information Commissioner identified that both breaches were the result of the SCRA's failure to make sure that the organisation's existing data protection and IT security guidance were being correctly followed by staff. The chief executive of the SCRA signed an undertaking to ensure that staff are made aware of the organisation's policies on the storage and use of personal data and that compliance with such policies is audited.

All of the incidents above arose from flaws in data security policy, a lack of awareness of the policy by staff/contractors or inadequate procedures for ensuring compliance with the policies. Should your business require any advice or assistance in developing and implementing data protection policies, preparing third party processor agreements or with staff training, please contact Alison Deighton, head of TLT's Data Protection and Privacy team.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.