The Information Commissioner’s Office (ICO) is responsible for the enforcement of the Data Protection Act 1998 (DPA). Organisations must hold and use personal information about individuals in accordance with the DPA.
Last month the ICO served Instant Cash Loans Limited with a monetary penalty of £180,000 following a serious data breach involving sensitive information about customers and employees of the Money Shop.
In this case, a server had been stolen from the Money Shop in April 2014. A second server was then lost in May 2014 while it was being transported from the firm’s head office to a branch. Both servers held customer records and records relating to employees of the Money Shop.
The ICO found that the Money Shop did not encrypt the personal data held on its servers. In addition, some of the Money Shop’s branches did not have a “safe haven” (in which to lock a server holding personal data overnight) or alternative physical security measures.
Under the DPA, organisations must take ‘appropriate, technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. Particular care is needed when processing sensitive personal data, such as information about health and medical records or, as in this case, criminal offences, due to the harm that could result from unauthorised disclosure.
Investigating this breach, the ICO considered that the loss of unencrypted personal data could cause distress (compensation under the DPA can currently be awarded for distress alone) and damage to the Money Shop’s customers if, for example, it was used for fraudulent purposes. Given the number of affected individuals, the nature of the personal data and the fact that the servers were not recovered, the ICO considered that such distress and loss was likely to be substantial.
This case comes after the ICO fined South Wales Police £160,000 in May of this year, after it lost a video interview with a victim which formed part of the evidence in a sexual abuse case. We also heard in early August that the ICO are “making enquiries” in relation to reports that personal data of up to 2.4 million Carphone Warehouse customers may have been taken during a cyber-attack.
The ICO has the power to issue penalties of up to £500,000 for serious data breaches and we can see that organisations are starting to come under significant scrutiny from the ICO to show that they did have appropriate safeguards in place.
Companies and organisations should be taking note that the ICO is willing to issue large fines in this area and they should ensure that their organisational and technological data security procedures are appropriate and, importantly, are kept up-to-date.
For further information or advice, please contact Jonathan Waters, Corporate Partner at Hay & Kilner.
Call: 0191 232 8345