Sometimes the only ways we find out about breaches in the U.K. are if someone files under Freedom of Information or the Information Commissioner’s Office (ICO) has them sign an undertaking. Today, we learn about another breach from an undertaking involving British Show Jumping Association.
The ICO was informed in December 2014 that a file containing a large section of British Show Jumping’s membership database had been emailed to a distribution group in error. The file contained the names, dates of birth, contact details and membership details of 14,152 members. The file had been held for longer than necessary on British Show Jumping’s systems, and had been given the same name as the file that was usually sent to the distribution group.
It became apparent to British Show Jumping before the Commissioner’s investigation that their policies and procedures around data protection were not sufficient, and it engaged the services of a third party to address the areas that were lacking. During the Commissioner’s investigation it became apparent that there were no policies or procedures that provided appropriate advice to staff on emailing personal data, or on retention and naming of documents on shared drives. In addition to this there was no training provided to staff that covered data protection.
Read more in the undertaking (pdf).
No training provided to staff on data protection and they got away with just an undertaking? I’d say they got off lightly.