Tag Archives: ICO

Ministry of Justice Fined by ICO

The Ministry of Justice has been fined £180,000 by the Information Commissioner’s Office (ICO) after an investigation concluded that there were serious failings in the handling of confidential data.

Confidential data belonging to almost 3,000 prisoners at Erlestoke prison in Wiltshire was compromised after a hard drive was lost. All the data on the hard drive was not encrypted despite previous efforts to improve the security of confidential data that was being transported on portable devices.

The hard drive was lost in 2013 and contained confidential information about prisoners’ health and drug misuse, information about inmates’ victims and visitors and material on organised crime.

This incident still occurred even though a very similar thing happened back in 2011 when another hard drive was lost which compromised data belonging to 16,000 prisoners. In an attempt to protect the data, the Ministry of Justice provided the Prison Service with hard drives that could be encrypted.

Despite this, a lack of communication and training resulted in the government body failing to explain to employees that the encryption option had to be switched on manually.

Stephen Eckersley who is the ICO head of enforcement stated, “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief. “

Eckersley added, “The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”

A spokeswoman for the Ministry of Justice stated, “We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system.”

The spokeswoman added, “Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”

This incident is another example of where an organisation has acted reactively and not proactively which has resulted in confidential data being compromised. This incident also shows the importance of having effective training and communication procedures in place.

Citizens Advice Bureau Leaks Data Online

A Citizen Advice Bureau (CAB) branch in Newcastle is now being investigated by the Information Commissioner’s Office (ICO) after confidential data was accidentally leaked online.

It has been reported that 1,300 internal files were published online. The files that contained data belonging to its customers contained information such as customer names, addresses, debt history and criminal records. Some of the files also contained information about staff log in details to the CAB main website. To make things more embarrassing for the CAB branch, letters declaring that their information would be handled confidentially were also included.

The Newcastle CAB branch has started the process of notifying the affected people whilst the investigation continues.

Shona Alexander who is the chief executive of the Newcastle branch stated, This isolated incident at Newcastle CAB is being thoroughly investigated. I’d like to reassure people that, because we take data protection extremely seriously, they can speak to us in total confidence. All Newcastle CAB staff and volunteers are fully trained in information assurance. The ICO are aware of this incident and we are working with them, as well as the senior information risk owner at Citizens Advice, taking urgent action to contact anyone who may have been affected by this incident and fully resolving any issue.

Steve Whitehaed who is the senior information risk owner stated, The Citizens Advice service has stringent data protection measures and highly secure systems in place to keep client and customer data safe. Incidents of this kind should never occur – we are working with Newcastle CAB while they investigate and resolve this isolated incident.”

The ICO have confirmed that they are investigating the issue to see if they deem the incident as being a data protection breach.

A spokesman from the ICO stated, We have recently been made aware of a possible data breach which may involve the Newcastle Citizens Advice Bureau. We will be making inquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.

This latest incident proves that companies are still making mistakes when dealing with confidential data which could have severe consequences if it was to fall into the wrong hands. It is time that companies start to educate their staff in data protection and have procedures in place to ensure that the rules and regulations are adhered too so incidents such as this one do not occur again.

Do you feel that companies are doing enough to protect confidential data?

ICO Hit Sony With 250,000 Fine After Data Breach

The Information Commissioners Office (ICO) have hit Sony Computer Entertainment EuropeLimited with a hefty 250,000 fine after completing their investigation into the data breach that occurred in 2011.

The incident occurred in 2011 when the PlayStation Network (PSN) was infiltrated by hackers. As a result of the breach, Sony confirmed that the hackers could have gathered personal information belonging to as many as 77 million people worldwide. It is thought that the personal information stolen included names, date of birth, addresses and even credit card details. However, soon after the initial breach was publicised, Sony released a statement claiming that all financial data and details was encrypted.

After the ICO investigation was completed, they came to the conclusion that the security defences that Sony had in place were quite simply not up to the task to protect the type of data that they had stored.

Deputy Commissioner of the ICO, David Smith, claimed, If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that justdidn’thappen, and when the database was targeted albeit in a determined criminal attack the security measures in place were simply not good enough.

Sony Computer Entertainment EuropeLimited have already expressed their disappointment of the findings and conclusion of the investigation and are planning to appeal the fine.

In a statement, Sony stated, Sony Computer Entertainment Europe strongly disagrees with the ICOs ruling and is planning an appeal. SCEE notes, however, that the ICO recognises Sony was the victim of ‘a focused and determined criminal attack,’ that ‘there is no evidence that encrypted payment card details were accessed,’ and that ‘personal data is unlikely to have been used for fraudulent purposes’ following the attack on the PlayStation Network.

Sony also added, Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient. The reliability of our network services and the security of our consumers information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack.

Sony will only have to pay 200,000 if they pay the fine by the 13th February as part of an early payment discount.

As the techniques of hackers are becoming more sophisticated and complex, the importance of having adequate data protection methods in place is becoming more vital as each day passes. To further enhance your protection, a secure and robust data backup solution should be in place to ensure that any deleted or tampered data can be recovered, helping to reduce the overall impact if you systems were successfully hacked.

Greater Manchester Police Hit with Fine after Data Loss

The Information Commissioners Office (ICO) has hit Greater Manchester Police with a 150,000 fine after a data loss incident. This fine was later reduced to 120,000 after the ICO granted them a twenty per cent discount for early payment.

Data belonging to over 1,000 people with links to serious crime investigations had been saved on a memory stick and was taken home by a detective. In July 2011, the detectives home was broken into and his wallet which contained the memory stick and his car keys were stolen.

During the ICOs investigation into the incident, it was revealed that Greater Manchester Police hadnt acquitted themselves very well at all as data protection procedures were nowhere near the required level.

The data that was on the memory stick was in an unencrypted format and wasnt even password protected. As there was no security measure taken place, the data on the memory stick could easily fall into the wrong hands and be readily accessible.

The ICO investigation team concluded that Greater Manchester Police staff hadnt been significantly trained in data protection and this is despite a similar data loss incident that occurred in 2010. Surely after the incident in 2010 would have resulted in more stringent measures being put in place and enforced but obviously this wasnt the case and confidential data has been put at unnecessary risk.

David Smith who is the ICO Director of Data Protection stated, This was truly sensitive personal data, left in the hands of a burglar by poor data security. The consequences of this type of breach really do send a shiver down the spine. It should have been obvious to the force that the type of information stored on its computers meant proper data security was needed. Instead, it has taken a serious data breach to prompt it into action. This is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes.

Assistant chief constable Lynne Potts later claimed, “This was very much an isolated incident. We take all matters relating to the storage of data extremely seriously and have stringent measures in place to ensure the safe storage of data.”

With the ICO now issuing such fines, it does make you wonder why data is still being put at an unnecessary risk. There are a number of basic security measures that can be employed such as encrypting the data which can help to reduce the impact if devices such as memory sticks are lost or stolen.

Another NHS Trust Fined After Patient and Staff Files Left Behind

The Information Commissioners Office (ICO) have fined the Belfast Health and Social Care Trust a staggering 225,000 after it was revealed that 115,000 patient and staff files were left behind after the hospital closed in 2006.

In total, there were 100,000 patient records and 15,000 staff files that were left behind. These records and files had been left on the floor, in cabinets or on shelves which obviously shows that there was a total disregard towards the security of this confidential data when it came to moving the files and records to a secure location.

The negligence towards the security of such confidential files is the main reason for the ICO imposing such a significant fine. The ICO stated, The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose. The people involved would also have suffered additional distress as a result of the posting of this data on the internet.

The ICO have also confirmed that all files and records have now been removed from the site and have been appropriately destroyed or filed away in an appropriate secure place.

The Belfast Health and Social Care Trust were given the responsibility to look after the 26 acre site which contains 40 separate buildings in 2007 when six separate Trusts merged into one overall Trust. When the Belfast Health and Social Care Trust took control, they employed two security guards on a permanent basis to patrol the grounds and organised five separate patrols to take place on a daily basis to assist them. CCTV and fire and intruder alarms were already in place but soon failed which left the patrolling guards with a near impossible job to ensure that trespassers didnt break into any of the buildings.

At the end of 2007, trespassers managed to break into some of the buildings with the patrolling guards being unaware due to the CCTV and fire and intruder alarm systems being inoperative. The trespassers took photographs of the records and posted their finding on the internet.

The Trust didnt find out about this until 2010 when someone else told them about the confidential information being posted on the internet. The Trust soon acted and started an investigation which couldnt be conducted properly as certain areas of the site had been cordoned off because of asbestos concerns. The Trust also set about improving the security of the site and fixed damaged windows and doors. The apparent security improvements are seen to have been been futile as the Irish News reported that you could still get onto the site in April 2011.

This is yet another case of an NHS Trust showing negligence towards data belonging to patients and staff and surely an overall review into the handling of data needs to be conducted. The fact that patient records were just left on the floor and on shelves is staggering and it would be very interesting to see if plans were ever put in place to keep the files in a secure location when it was decided to close the hospital down.

ICO hit NHS with a 90,000 fine

The Central London Community Healthcare NHS Trust has become the latest victim of the Information Commissioners Office (ICO) who has imposed an eye watering 90,000 fine after a series of breaches of the Data Protection Act was eventually brought to their attention.

The data breach occurred over a three month period where roughly 45 faxes which contained confidential data belonging to patients were accidentally sent to the wrong person. The Central London Community Healthcare NHS Trust meant to fax the patient lists to St Johns Hospice. These patient lists contained information which related to 59 people and their diagnoses, their domestic situation and resuscitation instructions.

After a three month period of receiving these patient lists, the individual who had been receiving them eventually told Blightys health service. The individual stated that they have been receiving these patient lists and that they had shredded them to ensure that the information didnt go any further.

ICO head of enforcement Stephen Eckersley has commented on this case. Eckersley stated, Patients rely on the NHS to keep their details safe. In this case Central London Community Healthcare NHS Trust failed to keep their patients sensitive information secure. The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying.

This is the latest case where the ICO have had to conduct an investigation because of a number of errors. Firstly, The Central London Community Healthcare NHS Trust didnt have stringent enough measures in place to stop such an error occurring. Secondly, the staff hadnt been adequately trained on data protection. These two factors combined are the main reason for the ICO imposing the hefty fine.

The trend of confidential data being compromised by people working in the public sector is set to continue as it is very evident that there are still members of staff who havent been appropriately trained on data protection. Yet again, this case suggests that we are still acting reactively and not proactively. The need for more stringent measures to be implemented and all members of staff to be adequately trained in data protection is increasing day by day as the implications become more severe if appropriate measures are not in place.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal