Monday 1 October 2012

UK Data Protection Review for September 2012

ICO fines Scottish Borders Council £250,000 after employee records found in supermarket car park over-filled recycle bin
  • More than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.
  • Even though a third party caused the breach, the Council found responsible. Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
  • The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed. 
  • Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
  • Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £250,000 on the Council.
  • A classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place
ICO reminds businesses of data responsibilities as more look to cloud computing to process personal information
·         Seek assurances on how your data will be kept safe. How secure is the cloud network, and what systems are in place to stop someone hacking in or disrupting your access to the data?
·         Think about the physical security of the cloud provider. Your data will be stored on a server in a data centre, which needs to have sufficient security in place.
·         Have a written contract in place with the cloud provider. This is a legal requirement, and means the cloud provider will not be able to change the terms of the service without your agreement.
·         Put a policy in place to make clear the expectations you have of the cloud provider. This is key where services are funded through adverts targeted at your customers: if they’re using personal data and you haven’t asked your customers’ permission, you’re breaking data protection law.
·         Don’t forget that transferring data internationally brings a number of obligations – that includes using cloud storage based abroad.

ICO pressing for custodial sentences
  • The Information Commissioner's Office (ICO) has admitted that it is ‘pressing for' custodial sentences for malicious data loss with the UK government.

No comments: