Tag Archives: DPA

ICO slams NHS trust over data loss

The Information Commissioner’s Office (ICO) has become involved in another data loss scandal involving an NHS trust, this time located in Wolverhampton.

The Data Protection Act (DPA) was breached by the Royal Wolverhampton Hospitals NHS Trust after it emerged that more than 100 patients had their details exposed in a moderately serious data loss incident.

An optical media disc containing details of scans taken from a total of 112 patients who had visited intensive care at New Cross Hospital went astray and was discovered by a member of the public at a bus stop.

The missing disc was not protected in any way, with no password or encryption on-board to keep the personal data out of reach of malicious third parties.

The ICO and investigators from within the trust could not discover the reason for the loss, or indeed the purpose of the disc’s existence in the first place. However, vulnerabilities in data protection and usage policy within the trust have been made apparent.

The ICO’s Mick Gorrill said that the data contained on the disc related to cases from several years ago, but pointed out that any loss of patient data should be considered as serious, disregarding the age of the information. He added that an agreement to improve data protection policy within the trust had been forged.

Managers at the trust have committed to follow the rules of the DPA to the letter in the future and they have also agreed to allow the ICO to monitor the manner in which they protect and handle patient data for an undisclosed period.

Security experts have criticised the NHS for its continuing inability to secure patient data, together with its usage of unencrypted portable media which is one of the common drivers behind data loss in the NHS and other organisations.

Protecting customer and patient data requires a multi-tiered approach to ensure total security, according to Absolute Software’s Dave Everitt. He added that simple password and encryption systems could allow users to protect data with ease.

Private investigators cautioned by ICO over data harvesting

The Information Commissioner’s Office (ICO) has spoken out about the allegedly spurious actions of many investigators who work in the UK on a freelance basis, with questions being raised over the way in which they gather both online data and paper data on their targets.

The ICO is concerned that the regulations of the Data Protection Act (DPA) are rarely heeded by those whose job it is to carry out investigations without the direct authority of the police.

The ICO issued a statement explaining the types of data typically collected and used by private eyes and said that many were in contravention of the DPA because of the nature of the data and the manner in which they had acquired.

Private details on individuals, from addresses and phone numbers to bank account information, are routinely gathered by investigators, the ICO said. It pointed out that anyone collecting this type of information was obliged under the DPA to notify it in order to ensure that no citizens are being exploited.

The ICO has contacted the associations of private investigators operating domestically and internationally in order to highlight the issues and request that, in future, the members act within the law rather than in a manner that puts them in breach of the terms of the DPA and in the same boat as hackers and cybercriminals.

Investigators who notify the ICO of their data harvesting activities will have to pay a £35 administration charge, but there is the deterrent of much larger fines looming over those who might consider avoiding this relatively small figure.

The ICO was keen to restate its stance on the matter, claiming that it would be taking action against any investigator who did not report their data-related activities in the appropriate manner and in due course. However, it did say that it would be partnering with the associations in order to work together and find a solution to its grievances, rather than gunning for every investigator on an individual basis.

The ICO’s David Smith said his department was taking a firm stance on this issue, in the interests of protecting personal information and private data from misuse.

Data Protection Act and Freedom of Information Act

The laws behind data protection have always been complicated to say the least.  With many laws contradicting one another depending on the type of company, type of industry, type of data, use of data and age of data.  The complex rules and regulations often leave companies protecting their data incorrectly, or worse still they do nothing, and take no steps to protect their data or to comply with the Freedom of Information Act.  This can leave them wide open to both fines and punishments from a number of governing and regulatory bodies.

As an online backup and disaster recovery company, we are very often asked by customers if we are able to help them to comply with these rules and regulations, enforced on them by the DPA and FoIA.  Not only can we help companies in this situation, but we can actually make it easier for them to abide by these regulations, lifting the weight of responsibility.

There are a number of features within our Asigra software that make compliance very straightforward when compared to traditional tape solutions.  For example, as part of the DPA any details that could be used to identify an employee, customer and / or client must be stored securely and not accessible to the public.  Our system is able to store data using two 256bit encryption keys, with all encryption occurring before any data is transferred to our secure UK data centres in Manchester and London.

With built in encryption, automatic offsite backups and long term storage via retention rules our solutions conform with each aspect of the DPA automatically.

The ‘take home’ with the FoIA is that all public bodies must (in certain circumstances) release the data it holds upon request.  The requested data can be historical information dating back any number of years.  Utilising Asigra’s retention policies we can ensure that our client’s data is stored securely off site, for the length of time that is needed, recoverable at any point in time, should a valid request for data arise.

While these steps may seem simple and easy to follow, the number of public bodies that are falling short of these legal requirements is worryingly large.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal