Information Commissioner’s Office (ICO) Archives - Latest News from Backup Technology

The UK Data Protection Act, put into action by the Information Commissioner’s Office (ICO), regulates the use of personal data that is within the reach of commercial and non-commercial companies, as well as individuals. Such data might have been acquired for various kinds of reasons and, therefore, adherence to compliance is expected. The ICO is a self regulating authority created to support information rights for protecting personal privacy.

Basic Interpretative Provisions

The Data Protection Act defines “Data” as “information which—

(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,

(b) is recorded with the intention that it should be processed by means of such equipment,

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,

(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68,

(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d)”.

The Data Protection Act further defines “Personal Data” as “data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”.

“Sensitive Personal Data” is further explained here:

According to The Data Protection Act, “Sensitive Personal Data” means personal data consisting of information as to—

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(d) whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

ICO has already levied penalties under the Data Protection Act for data breaches. The fine amount shows that the ICO office is very serious to reinforce the act. It continues to monitor violations and regulate the provisions of the act in the entire UK. For that reason, if are a UK based organisation that is engaged in a service that warrants collection of information or data of various sorts, you need to pay a special attention to compliance under the act; so as to avoid penalties and legal suits. It must be noted that compliance to the data protection act is not an option, but mandatory.

The Ministry of Justice has been fined £180,000 by the Information Commissioner’s Office (ICO) after an investigation concluded that there were serious failings in the handling of confidential data.

Confidential data belonging to almost 3,000 prisoners at Erlestoke prison in Wiltshire was compromised after a hard drive was lost. All the data on the hard drive was not encrypted despite previous efforts to improve the security of confidential data that was being transported on portable devices.

The hard drive was lost in 2013 and contained confidential information about prisoners’ health and drug misuse, information about inmates’ victims and visitors and material on organised crime.

This incident still occurred even though a very similar thing happened back in 2011 when another hard drive was lost which compromised data belonging to 16,000 prisoners. In an attempt to protect the data, the Ministry of Justice provided the Prison Service with hard drives that could be encrypted.

Despite this, a lack of communication and training resulted in the government body failing to explain to employees that the encryption option had to be switched on manually.

Stephen Eckersley who is the ICO head of enforcement stated, “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief. “

Eckersley added, “The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”

A spokeswoman for the Ministry of Justice stated, “We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system.”

The spokeswoman added, “Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”

This incident is another example of where an organisation has acted reactively and not proactively which has resulted in confidential data being compromised. This incident also shows the importance of having effective training and communication procedures in place.