Roundup of the ICO Enforcement Action in Q1 2014
This year's enforcement action at the Information Commissioner's Office ("ICO") has continued to largely focus on breaches of the 7th data protection principle ("7th DPP"), which provides for appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data.
The British Pregnancy Advice Service ("BPAS") was issued with a monetary penalty notice ("MPN") of £200,000 for not knowing the personal data it held, and allowing a malicious hacker to exploit security vulnerabilities in their website to access the names of 9,000 people who had sought the BPAS' advice on abortion, pregnancy and contraception. The BPAS obtained an injunction to prevent publication of the information. Nonetheless, the BPAS' actions breached the 5th data protection principle (governing how long personal data may be held) and were a serious breach of the 7th DPP.
The Department of Justice Northern Ireland ("DoJ NI") was issued with an MPN of £185,000 due to a failure to check what was in a locked filing cabinet that the DoJ NI sold without a key. This re-enforces previous MPNs, confirming that data controllers must check that any electronic or physical equipment does not contain any personal data or sensitive personal data before it is disposed of or sold.
Kent Police was issued with an MPN of £100,000 for failure to remove highly sensitive information from an old police station. As per the Stockport Primary Care Trust MPN, data controllers must, at the very least, fully clear premises of all personal data (particularly sensitive personal data) where those premises are being decommissioned, vacated or sold.
The need for guidance and training on how sensitive personal data should be handled and kept secure when taken outside of the office was illustrated by the undertaking Neath Care was required to provide to the ICO following a member of the public finding the files of 10 vulnerable and elderly people in the street.
The ICO issued enforcement notices against Isisbyte Limited and SLM Connect Limited for making nuisance calls while failing to correctly identify themselves. Companies making live marketing calls breach the law by ringing individuals registered with the Telephone Preference Service.
There have also been prosecutions regarding failure to register as a data controller (which itself is a criminal offence) and unlawfully obtaining personal data.
Lessons for data controllers
It goes without saying that you can learn from the mistakes that others have already made. The MPNs show that regulatory 'hot spots' include accidental loss or theft of data, human error, lack of training, misdirected communications and lack of sufficient policy. Data controllers should use the subject matter of MPNs and undertakings to:
- ascertain the types of data being handled;
- understand the legal obligations regarding such data and have appropriate guidance, procedures and training in place to mitigate risk; and
- avoid breaching the DPA (particularly the regulatory 'hot spots') and ensure there is an effective recovery plan in place in the event a data protection breach arises.
The BPAS MPN shows cybersecurity is likely to be increasingly important in the ICO's eyes. The Sony and BPAS MPNs should act as warnings to all data controllers that fines for breaching the 7th DPP are not limited to misdirected communications and stolen or lost data (including use of unencrypted portable electronic devices).
If the proposed Data Protection Regulation is passed by the Council of Ministers with no or minor changes, the regulatory sanctions will be even more severe.
Nathaniel Lane is a Solicitor in Michelmores' Technology, Media and Communications Team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at email@example.com or on 0207 788 6313.