- More than 600 files were deposited at the recycle bins, containing confidential information and, in a significant number of cases, salary and bank account details. The files were spotted by a member of the public who called police, prompting the recovery of 676 files. A further 172 files deposited on the same day but at a different paper recycling bank are thought to have been destroyed in the recycling process.
- Even though a third party caused the breach, the Council found responsible. Scottish Borders Council employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure.
- The Data Protection Act requires that, if you decide to use another organisation to process personal data for you, you remain legally responsible for the security of the data and for protecting the rights of the individuals whose data is being processed.
- Scottish Borders Council put no contract in place with the third party processor, sought no guarantees on the technical and organisational security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
- Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £250,000 on the Council.
- A classic case of an organisation taking its eye off the ball when it came to outsourcing. When the Council decided to contract out the digitising of these records, they handed large volumes of confidential information to an outside company without performing sufficient checks on how securely the information would be kept, and without even putting a contract in place
- ICO releases a guide to cloud computing, to help businesses comply with the law. The guide gives tips including:
·
Seek assurances on how your data will be kept safe. How
secure is the cloud network, and what systems are in place to stop someone
hacking in or disrupting your access to the data?
·
Think about the physical security of the cloud provider.
Your data will be stored on a server in a data centre, which needs to have
sufficient security in place.
·
Have a written contract in place with the cloud provider.
This is a legal requirement, and means the cloud provider will not be able to
change the terms of the service without your agreement.
·
Put a policy in place to make clear the expectations you
have of the cloud provider. This is key where services are funded through
adverts targeted at your customers: if they’re using personal data and you
haven’t asked your customers’ permission, you’re breaking data protection law.
·
Don’t forget that transferring data internationally
brings a number of obligations – that includes using cloud storage based
abroad.
- The Information Commissioner's Office (ICO) has admitted that it is ‘pressing for' custodial sentences for malicious data loss with the UK government.
No comments:
Post a Comment
Any comments with weblinks, or promoting/advertising company products and services will be rejected