UK Data Protection Overview for July 2012

ICO imposed a civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details.

• WFSL’s Shopacheck business lost two backup tape.
• The backup tapes contained the names, addresses, dates of birth, loan accounts and telephone numbers of approximately 510,000 of their customers in November 2011. The backup tapes also held personal information of 20,000 current and former employees of WFSL, and 8,000 agents. The backup tapes have not been recovered to date.
• The lost backup tapes were not encrypted
• The ICO deemed WFSL to have broken the 7^th principle of Data Protection Act.
• Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data
• ICO stated Data Controller did not follow their own Information Security Policies.
• Significant impact on reputation of the data controller (WFSL) as a result of this security breach which was publicised in national press.

The ICO issued a penalty of £60,000 to St George’s Healthcare NHS Trust in London after a vulnerable individual’s sensitive medical details were sent to the wrong address.

•  Two letters were sent to the correct recipient old address in May 2011, however the address was incorrect, and was a property where the recipient hadn’t lived for over 5 years
• The ICO’s investigation found that the individual’s current address had been provided to the trust’s staff before the medical examination took place. Additionally the correct address had been logged on the national care records service, known as NHS SPINE, in June 2006. The mistake was made after the Trust’s staff failed to use the address supplied before the examination, or check that the individual’s recorded address on their local patient database matched the data on the SPINE. The Trust had setup a prompt to remind staff about the need to check and update patient information against SPINE; however the Trust knew the prompt could be bypassed and failed to take action to address the problem until it was too late.
• The ICO deemed the NHS to have broken the 7^th principle of Data Protection Act.
• Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data. There can be significant reputational impact for a data controller as a result of these security breaches. 

The ICO ordered Southampton City Council to stop the mandatory recording of passengers’ and drivers’ conversations in the city’s taxis.

• Since August 2009, the council has required all taxis and private hire vehicles to install CCTV equipment to constantly record images and the conversations of both drivers and passengers
• The ICO has ruled the council’s policy breaches the Data Protection Act, concluding that the recording of all conversations is disproportionate given the very low number of incidents occurring compared to the number of trouble free taxi journeys. An enforcement notice has been issued to the council who now have until 1 November to comply

The ICO publically warn Google following their disclosure of not removing personal data from “Google Street View”.

“The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern”