I thought that whenever the UK’s Information Commissioner’s Office (ICO) had an entity sign an undertaking to improve data security or privacy protective practices, the office issued a press release. But thanks to Stewart Room, I’ve learned that that’s not necessarily the case. Stewart alerted us all to a recently signed undertaking that involved a barrister, Sarah Phillimore, who breached the Data Protection Act when she lost confidential files. From the undertaking signed this past week, a description of the incident:
In November 2010 the Information Commissioner (the “Commissioner”) received a report that Ms Phillimore had lost a quantity of sensitive personal data, property belonging to a County Council which she was representing in legal proceedings.
Ms Phillimore had been in possession of six folders of case papers required for her handling of a court case in November 2010. On conclusion of the matter she returned four of the folders to her chambers, it not being practical to return all six bulky folders at the one time. On the 13th November Ms Phillimore placed the two remaining folders in her motor vehicle intending to return those too to her chambers. However circumstances prevented this and she consequently left the folders in her vehicle, which was parked in a public street, overnight, intending to return them to her chambers on 14 November 2010.
On the morning of 14 November 2010 Ms Phillimore returned to her vehicle to find it had been broken into and the two folders of court papers stolen.
That March 23 undertaking is not the only recent undertaking that did not result in press release, it seems. As I searched, I found that Aramark Ltd. signed an undertaking on February 25th, following the theft of a laptop containing unencrypted personal information as well as and paperwork containing employee personal data:
The laptop was being used to transport new employees’ personal data from an outgoing service provider’s premises. A graduate manager was taking the personal data home with the purpose of taking it to a secure location the next day. During transit the laptop and paperwork were opportunistically stolen.
The laptop was password protected and stored 109 employees’ national insurance numbers, bank details, and passport numbers. The paperwork included four employees’ bank details and photocopies of their passports. The personal data being transferred had to be collected and checked by the data controller for payroll purposes. It was noted that the data controller proposed appropriate remedial action, and intends to complete an encryption programme for all its laptop computers by 21 January 2011.
“But wait, there’s more!” It seems that Rainforest Alliance Ltd signed an undertaking in November 2010 following the theft of a laptop with unencrypted data:
The Information Commissioner (the “Commissioner”) was provided with a report of the theft of an unencrypted laptop holding personal and financial data relating to employees of the data controller and job applicants. The laptop was being used outside the office environment by a manager, with the data controller’s knowledge and authority, and was stolen from a relative’s home in a domestic burglary.
The laptop was protected by a password, and the data files were also password-protected but not encrypted. It also emerged that only some of the data had been backed up to the office server and the data controller had not provided adequate guidance on physical security measures for those working outside the office.
The undertaking did not indicate how many employees and applicants had data on the stolen laptop or precisely what information fields or data types were involved.
So what have we learned? Well, I’ve learned not to count on the ICO’s press release web site if I really want to know what breaches they have investigated or pursued! None of these three breaches is particularly unusual, and it’s curious that the ICO didn’t issue press releases as a way of reminding data controllers how easily this might happen to them, too.