Without fanfare, the ICO has published an undertaking signed by Holroyd Howe Independent Ltd in Reading. The gist of the breach is that in response to a request for a copy of an ex-employee’s payslip (requested by the ex-employee), the data processor mailed a document disclosing the relevant month’s payslips for all of the contract catering firm’s employees.
In the course of investigation, it emerged that the data controller did not have a formal contract in place governing the processing of personal data by this data processor. It was noted that job-related training was given which included emphasis on confidentiality and sensitivity of data where appropriate, although some improvements were identified in relation to policies and procedures. It was further noted that remedial action taken in response to this incident had been prompt and thorough and that no adverse consequences had resulted.