Sunday 3 March 2013

UK Data Protection Review for February 2013

    • The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.
    • The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered
    • ICO stated “failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty”

    • They were caught carrying out the breaches for non-policing purposes, BBC Wales has discovered under the Freedom of Information Act. 
    • Included checks on partners, relatives and associates, altering their own records, and passing data to third parties.
    • Four people were sacked and 14 resigned as a result of the breaches

    • ICO said Compulsory data protection audits of councils and the NHS are needed to help eliminate "really stupid basic errors"

No comments: