Tag Archives: Mr Gorrill

Parliamentary data leak addressed by ICO

The Information Commissioner’s Office (ICO) has looked into an incident during which the personal data of many MPs was left open to exploitation during ongoing IT work carried out in the summer of 2010.

As a result of the ICO’s investigation, the Independent Parliamentary Standards Authority (IPSA) has said that it will be clamping down to ensure that such an eventuality is not possible in the future.

For almost a full 24 hour period, details from bank account numbers to home phone numbers were available to anyone who had access to an MP’s expense account login. This could have allowed rivals to search for incriminating evidence or for unscrupulous workers to sell the data for personal gain.

The ICO’s Mick Gorrill explained that maintenance work on IT systems and databases would have to be completed with an adequate level of security in place to protect the details stored within. He also said that thorough testing of such systems subsequent to tinkering would avoid exposures such as this.

Mr Gorrill pointed out that the MPs whose data was revealed during this incident could have become the victims of fraud as a result.

Prevention of future events will be handled by the IPSA, which has followed in the footsteps of other public and private sector organisations by committing to one of the ICO’s formal undertakings. A reappraisal of how admin accounts are managed and breach detection monitored will be a key step instigated by the undertaking.

IPSA released a statement in which it explained that 11 MPs were directly impacted by this incident and upon being notified of the breach it immediately removed the offending data access before alerting the ICO. It also said that in the aftermath of the incident, it was quick to act and plug any possible loopholes in the system following on from the maintenance.

The data loss incident has caused a complete restructuring of the access hierarchy for the Parliamentary expenses data, with greater restrictions added to stop unwarranted exploitation of sensitive information and augmentation of the monitoring abilities, to make detecting these issues much simpler in the future.

Yorkshire Building Society suffers data loss after laptop theft

The Information Commissioner’s Office (ICO) has become involved in a data loss incident involving Yorkshire Building Society (YBS) after it emerged that the firm had become the victim of laptop theft.

The laptop which was stolen is deemed to be particularly vulnerable to exploitation because it is completely unencrypted, leaving personal financial details of customers exposed to third parties.

Earlier in the year the ICO was granted new powers to dole out fines of up to half a million pounds to businesses and organisations which breach the Data Protection Act (DPA) with such incidents as this. However, it has not decided to impose this maximum fine as yet and instead has requested that YBS commit to a formal undertaking which will work to improve data protection policy.

In order to warrant a fine, a data loss incident must actively and deliberately have caused damage, whether financial or otherwise, to a particular member of the public, according to an ICO statement. The regulator will also take onboard the level of cooperation it receives from the implicated business and in this case YBS has been compliant and helpful and as such has avoided a financial penalty.

The ICO’s Mick Gorrill said that the stolen laptop is of grave concern in this particular instance not just because it was unencrypted but also because of the sheer amount of customer information which it was known to contain. Amongst this information were passwords and login details and thieves managed to access the laptop because it was left unprotected outside of working hours.

Mr Gorrill explained that the YBS employee responsible for the laptop’s safety was putting the data at unnecessary risk because there was no need for such a large amount of information to be stored on the laptop for standard purposes. He said that employees should have limited access to data, with only that which is essential for work being available on portable devices.

Mr Gorrill said that YBS had acted appropriately in the circumstances and was fully cooperating with the formal undertaking which will ideally stifle the chances of such a data loss repeating in the future.

NHS data loss incidents occur too frequently says regulator

The NHS has been openly criticised by the Information Commissioner’s Office (ICO) for its unacceptable catalogue of high profile data loss scandals in breach of the Data Protection Act.

The NHS Trust most recently involved in a serious data loss incident operates in Basingstoke and North Hampshire. This time the vulnerabilities of its policies were exposed after a spreadsheet filled with personal details relating to nearly 1000 patients was emailed using an insecure account in order to initiate an inter-departmental transfer of the data.

A second NHS Trust, this time operating in Stoke-on-Trent, was forced to announce that, thanks to a filing error, the details of nearly 2000 physiotherapy patients could have easily been lost or erased due to negligence.

The ICO has used its powers to secure signed undertakings from the heads of both trusts. These should ensure that the policies relating to the handling private data do not result in further contraventions of the Data Protection Act.

25 per cent of data related incidents of which the ICO is notified originate from within the NHS, according to the ICO’s Mick Gorrill. Mr Gorrill said that the NHS would have to take seriously the threats posed to its patient data in order to prevent the seemingly perpetual procession of data breaches, loss and theft from within the organisation.

Mr Gorrill said that it would be unreasonable for the NHS to dismiss every incident of data loss as a simple mistake caused by human error, suggesting instead that fundamental changes need to be made to grass roots policies and procedures.

A particular focus on the protection of data when it is being transferred between departments is required by the ICO. Without appropriate protection it believes that the personal details of thousands more UK patients could easily slip through the net and it seems that the industry watchdog believes that it is only a matter of time before the NHS is forced to respond to yet another damaging data loss incident.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal