UK Data Protection Review for November 2012

ICO serves Prudential with a £50,000 fine after a mix-up over the administration of two customers’ accounts led to tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account. 

• This is the first monetary penalty served by the ICO that doesn’t relate to a significant data loss, but is against not ensuring the customer information held was accurate and kept up-to-date 
• The original error was caused when the records of both customers, who share the same first name, surname and date of birth, were mistakenly merged in March 2007.
• The accounts remained confused for more than three years, and the problem was only resolved in September 2010. This was despite the company being alerted to the mistake on several occasions, including a letter from one of the customers in late April 2010 which clearly indicated his address had not changed for over 15 years. The company failed to investigate thoroughly at this point and the penalty imposed today relates to the inaccuracy then present which continued for a further six months.

ICO fines Plymouth City Council £60,000 for sending child neglect report to wrong person

• The report included highly sensitive personal information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings.
• An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
• ICO stated although caused by human error, consider that the company hadn’t taken enough care when handling vulnerable people’s sensitive information.
• ICO stated “The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that

ICO served monetary penalties totalling £440,000 on two owners of a marketing company which has plagued the public with millions of  spam texts over the past three years

• Fine for breaching Privacy and Electronic Communications Regulations (PECR), which was approved in January 2012
• The largest ICO fine to data
• The ICO is also currently considering issuing penalties to three other companies believed to be acting in breach of the regulations as the office continues its crackdown on the illegal marketing industry.
• All marketing by text message, email and mailshots, always are fully compliant with the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act (DPA).

ICO penalty ‘loop hole’ highlighted

• Media reports suggest organisations have considered using a “loophole” to avoid data breach fines – by asking the privacy regulator, the Information Commissioner’s Office (ICO), to audit them when they already know personal data has been lost or stolen.
• The ICO have said not to fine any company for breaches of the Data Protection Act if they are discovered during a voluntary audit. It appears that no matter how badly a company has performed, if the poor practice comes to light during an audit, the perpetrator won’t have to pay up