In the UK, the Treasury Solicitor’s Department has signed an undertaking with the Information Commissioenr’s Office.
As described in the undertaking, there had been a number self-reported breaches involving exposure of individuals’ information due to incomplete redactions or failure to fully check:
The Information Commissioner (the ‘Commissioner’) was contacted by the data controller on 6 February 2012, 24 August 2012, 30 August 2012 and 3 January 2013 and was made aware of several separate breaches of the Act.
Three of the self-reported breaches involved case files being sent to a claimant’s solicitor and then on to the claimant during the course of litigation with un-redacted third party personal data contained within them. These incidents resulted in the personal data being disclosed in error to third parties.
The fourth and remaining self-reported breach involved a bundle of case papers relating to an unfair dismissal claim. These were sent to an individual during the process of the claim and contained personal data relating to another individual’s separate claim. This incident resulted in third party personal data being disclosed in error.
Although the department had some measures in place, as evidenced by the fact that in the first three breaches, some data had been redacted, the ICO determined that there were gaps in the department’s procedures that needed further improvement. Under the conditions of the undertaking, the department must develop:
(1) a clear, documented procedure for staff to follow when preparing information for disclosure is implemented within 6 months. This should incorporate a defined checking process with emphasis on the steps to be taken prior to release. The procedure should account for both sensitive personal data and personal data relating to third parties;
(2) the communication requirements between Junior and Senior lawyers carrying out the disclosure process is defined by a structured, formal procedure with clear lines of communication and implemented within 6 months. The responsibilities of staff members should be clearly explained within this procedure; and
(3) a mandatory and comprehensive training programme regarding compliance with the Act for all new and existing staff is put in place within 6 months. This should include how training will be presented, tested, refreshed and the frequency of delivery for each.