UK Data Protection Review for October 2012

ICO fines Stoke-on-Trent City Council £120,000 after sensitive information about a child protection legal case was emailed to the wrong person

•  11 emails containing sensitive information relating to the care of children were sent to the wrong address by Council employees
• The fact the Email and attachments were not encryption protected was the root cause of the seriousness of the incident, leading to the high fine. An encrypted file cannot be opened by unintended recipient, therefore it is best practise to use file encryption on any document contain sensitive personal information sent outside a company infrastructure via email.

ICO fines Greater Manchester Police £150,000 following the theft of a memory stick holding sensitive personal data from an police officer’s home

• The ICO action was prompted by the theft of a memory stick containing sensitive personal data from a police officer’s home. The memory stick was not encrypted and contained details of more than a thousand people with links to serious crime investigations.
•  The ICO found that a number of police officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.

ICO serve a £70,000 monetary penalty to Norwood Ravenswood after sensitive information about four children was lost after being left outside of a house

• A social worker, who worked for Norwood Ravenswood, left the detailed reports at the side of the house on 5 December 2011, after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered.
• The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.
• In this case the lack of data protection awareness training provided to the social worker was identified as the root cause of the incident; therefore the business was held to account and fined.

ICO release a statement stating it was concerned with personal data protection within local government and the NHS

• The ICO published four reports which summarise the outcomes of over 60 ICO audits carried out in the private, NHS, local and central government sectors.
• In the health service only one of the 15 organisations audited provided a high level of assurance to the ICO, with the local government sector showing a similar trend with only one out of 19 organisations achieving the highest mark. Central government departments fair little better with two out of 11 organisations achieving the highest level of assurance.

ICO issues two monetary penalties over £250,000 to two marketers responsible for distributing millions of spam texts

• Spamming is just wrong, especially all those PPI text messages going around at the moment, nice to see the ICO attempt to go after someone for it doing