ICO takes action against personal data losses in UK

By EDRi · September 9, 2009

This article is also available in:
Deutsch: [ICO geht gegen Verluste persönlicher Daten in Großbritannien vor | http://www.unwatched.org/node/1515]

After UK Information Commissioner’s Office (ICO) has found Wigan schools in
breach of the Data Protection Act following a theft of a laptop with
personal information on about 43 000 children and young people, the Wigan
council has agreed to sign an Undertaking to take the necessary measures to
comply with the law.

The stolen laptop was stored in a locked office but it was not encrypted and
the data on it was not protected. By signing the Undertaking, the Wigan
Council has agreed to ensure the encryption of all portable and mobile
devices, including laptops used to store and transmit personal data. The
commitment includes the training of the staff regarding the data storing
policy and the obligation of the staff to adhere to that policy. Additional
appropriate data protection measures will also be implemented.

This is just one of the many cases of personal data losses during the last
few years in UK and Ireland. In the case of August 2008 of the loss by PA
Consulting of a memory stick containing personal data on prison population
and offenders, it has come out that the amount of lost data was much higher
than first stated.

Through its Resource Account for 2008-2009, the Home Office has admitted the
lost device was not containing data on 127 000 people as initially believed
but actually it contained data on about 377 000 people, the additional 250
000 being data on users of the Drug Interventions Programme. These users are
recorded only by their initials, rather than their full names, thus the
personal data being limited in nature.

The Information Commissioner Christopher Graham has also expressed his
opinion that the courts and the Parliament are to blame for the leakage of
personal information that was discovered during an investigation carried out
by ICO’s Motorman into the activities a private investigator’s activities.

The investigation has revealed 17 500 requests from about 400 journalists to
the private investigator for private information on political personalities,
celebrities or security personnel. The information thus obtained was used by
the journalists to publish various articles based on it.

Graham said that to obtain and sell personal data without permission as well
as to publish stories based on the data obtained by deception was in breach
of the Data Protection Act which says that organisations must guard against
unlawful data processing. He reminded the House of Commons Select Committee
on Culture, Media and Sport, that the ICO already revealed the problems of
the trade in personal data in 2006, in a report “What Price Privacy Now?”,
but that no action had been taken by the authorities.

“We were let down by the courts, who didn’t seem to be interested in levying
even the pathetic fines they had at their disposal; we were rather let down
by parliament in the end, with no legislation; and we were let down by the
newspaper groups, which didn’t take it seriously,” said Graham.

ICO Press Release – Wigan Council improves security after details on most
school children are stolen (2.09.2009)
http://www.ico.gov.uk/upload/documents/pressreleases/wigan_020909_final.pdf

Home Office coughs to larger data loss (28.08.2009)
http://www.theregister.co.uk/2009/08/28/home_office_data_loss/

Drug records added to data loss (26.08.2009)
http://www.kable.co.uk/home-office-data-loss-26aug09

Courts and Parliament ‘let us down’ on personal data trade, says privacy
watchdog (2.09.2008)
http://www.out-law.com/page-10349

Data Protection Act 1998 – Undertaking by Wigan Council as data controller
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/wigan_council_undertaking.pdf

Home Office Resource Accounts 2008-09 (21.07.2009)
http://www.official-documents.gov.uk/document/hc0809/hc04/0466/0466.pdf

EDRI-gram: UK Watchdog asks the European Commission to adopt security breach
law (10.09.2008)
http://www.edri.org/edrigram/number6.17/ncc-security-breach-law