DSG Retail, the firm which operates various high street brands including PC World and Dixons, has been the victim of a brow-beating at the hands of the Information Commissioner’s Office (ICO), after it emerged that it had improperly disposed of personal details relating to several customers.
The data in question was located close to an open waste disposal unit and several credit agreements which had been completed by several DSG Retail customers were only discovered by workers from the local council.
The potential for this poorly handled data to fall into the wrong hands is high, but this incident is being seen as particularly severe because the credit agreements were more than two years old, which means they were held onto by DSG Retail for longer than its internal policies would normally allow. This perhaps accounts for the hurried, slap-dash nature of their disposal.
DSG Retail and its subsidiaries are required by procedure to safely and securely dispose of customer details in a way which renders them completely unusable and the documents should have been destroyed after being transported in closely guarded containers.
In this instance it is clear that employees did not comply with the rules and the ICO has consequently found DSG Retail to have breached the terms of the Data Protection Act.
DSG Retail’s CEO John Browett has committed to a formal undertaking laid out by the ICO and this move means that the organisation is following in the footsteps of Yorkshire Building Society and an NHS Trust in Wolverhampton, both of which were hit with similar requirements after suffering embarrassing data losses which were made public in the last few days.
The ICO’s Mick Gorrill said that the protection of private customer data should be paramount throughout its storage and on into its disposal. He criticised DSG Retail for retaining the data for longer than was necessary and said that an improvement to staff training on the proper handling of data will result from the formal undertaking.
DSG Retail will avoid monetary penalties in this instance and the ICO explained that it was more interested in aiding organisations with overhauling their data protection policies rather than handing out fines.