Barely a day goes past now without a data protection related story hitting the headlines.
Last week the UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), warned businesses and other organisations that they “must have adequate security measures in place to keep people’s information secure” after it transpired that 677,335 user accounts on the Racing Post website had been compromised during a data breach in October 2013.
The ICO found that although the Racing Post had carried out security testing on its website in 2007, it had failed to apply security patches after this time – leaving the website open to attack.
The ICO has accordingly requested that the Racing Post sign an undertaking (a written promise) committing it to take action to improve data protection compliance by introducing routine IT security testing and having in place a policy to ensure that security patches and updates are regularly applied.
Last week the ICO also issued a report into data protection compliance by 16 local authorities, finding “areas of good practice, but clear room for improvement by all”. According to the ICO, six authorities had “considerable room for improvement”, while one was warned that immediate action was required.
According to the ICO:
“The types of breaches we’re seeing are fairly consistent, with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent… By learning from the mistakes of others, and indeed learning from the examples of good practice we found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door.”
Last week was also the week that the ICO served a £180,000 monetary penalty on the Ministry of Justice following the loss of an unencrypted back-up hard drive at a prison in May 2013. The drive contained personal data (including sensitive personal data) relating to 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and information about victims and visitors.
This followed a similar incident in October 2011, when another unencrypted hard drive containing personal data relating to 16,000 prisoners, was lost.
In May 2012 the prison service provided new hard drives to all of the prisons across England and Wales, which were capable of encrypting the information stored on them. However, the ICO’s investigation into the latest incident found that the prisons had not realised that the encryption needed to be turned on in order to work correctly.
The ICO’s Head of Enforcement, Stephen Eckersley, commented:
“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief… This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
The above matters serve as a timely reminder that every organisation handling personal data should have in place appropriate technical and organisational measures to protect the security and integrity of personal data. This is known as the “seventh data protection principle” under the Data Protection Act 1998 (the “DPA”).
(In summary, the DPA requires that personal data must be:
1. Fairly and lawfully processed;
2. Processed only for the purposes for which it was obtained;
3. Adequate, relevant, and not excessive;
4. Accurate and up-to-date;
5. Not kept for longer than is necessary;
6. Processed in line with individuals’ rights;
7. Kept secure; and
8. Not transferred out of the EEA without adequate protection.)
With the ICO showing increasing willingness to take enforcement action, including by issuing monetary penalties in what it deems to be the most serious cases, now is a good time for businesses and organisations to review their data protection policies and procedures – particularly in relation to how they store and process personal data online and on their IT systems.