In our increasingly complex world information security and data misuse is under ever greater scrutiny.
As two investigations are launched by the Information Commissioner's Office ('ICO'), a significant fine is imposed on the Serious Fraud Office and allegations of data security breaches make national headlines, one cannot help but wonder if this spike in awareness is a sign of things to come.
What has been happening?
Over the years, we have seen an increase in data security breaches making their way into the public domain however, there have been few (if any) weeks where the news has been so heavily dominated by headlines relating to the misuse of data.
On 26 March, the ICO issued a fine of £180,000 against the Serious Fraud Office after a witness in a serious fraud, bribery and corruption investigation was mistakenly sent evidence relating to 64 other people. In particular (in just over 2 years) the witness was sent in excess of 2,000 evidence bags where 407 of those bags included information about third parties including information showing payments made to those individuals, hospital invoices, DVLA documents and passport details.
During its investigation, the ICO discovered that information being returned to the witness had been prepared by a temporary worker who had received minimal training and had no direct supervision.
This incident has been quickly followed by the ICO having to launch 2 separate investigations after allegations have been made regarding the sale of pension information and medical information for as little as 5p per individual. This exposes individuals to significant risk at a time when pension reforms are on the horizon which could result in pensioners being targeted with scams at a time when they can access their full pension pots.
As a result of these allegations and evidence produced to the ICO, the ICO announced that it will be making enquiries to establish whether or not the Data Protection Act and/or the Privacy and Electronic Communications Regulations have been breached.
Steve Eckersley, Head of Enforcement at the ICO commented that:
'What the Daily Mail has shown us is very worrying indeed. It suggests a frequent disregard of laws that are in place specifically to protect consumers. We will be launching an investigation immediately.'
The claim made by those involved is that this information was collected legitimately and can lawfully be sold.
In relation to the alleged sale of medical information, he also stated:
'People rightly consider information about their health to be sensitive, and in a recent survey we found that half of people consider it to be extremely sensitive. To think such information could be in the hands of unscrupulous businesses looking to profit from it sends a shiver down the spine. We'll be looking into claims made by these companies to consider whether there has been any breach of data protection law.'
This set against several well-known companies (including British Airways, GitHub and Slack) having been hit by cyber-attacks means that data security has been a critical issue for discussion this week. In the case of British Airways, it seems as though user accounts were accessed and individuals became aware when account information had been changed and/or their user accounts had been used without their knowledge. Unfortunately for British Airways, its handling of the incident has also been criticised by security experts who raised concerns about the technique used by British Airways to ask customers to reset their passwords.
What can we learn from this week?
There are a number of key lessons that we can take from this week:
- firstly, the ICO can and will impose fines for serious breaches. Failing to have adequate training and supervision in place to ensure compliance with the Data Protection Act and Privacy and Electronic Communications Regulations will not be tolerated.
- secondly, the ICO is taking a proactive approach and will take immediate action as and when it becomes aware of, or suspects that laws have been breached.
- thirdly, having adequate information security programs in place to prevent, detect and correct security breaches is of paramount importance. Having policies and procedures in place to ensure that such incidents are properly escalated, managed and resolved in order to ensure that personal (and other) data is protected is also vital.
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.