PC World Owner Pinged Over Dumping Customer Data

The owner of PC World (DSG Retail Ltd) has been slapped over the wrist by the Information Commissioner’s Office (ICO), after eight completed customer credit agreements, containing personal and financial details, were discovered in a skip at one of its PC World stores.

The news of this latest data protection breach came to light after the ICO was informed by a local authority’s environmental health department that it had found the documents in January 2010.

It seems that the documents concerned transactions two years earlier at the PC World store. According to the ICO, the documents had been retained beyond the period specified in the data controller’s procedures, and disposed of in a manner inconsistent with those procedures.

No Fine

What should have happened was that the data controller should have transported them in sealed containers to a central facility for secure shredding.

“As a result of this incident, the Commissioner also formed the view that the data protection training given to the data controller’s staff was limited,” said the ICO.

The ICO decided not to fine DSG this time, but instead settled for John Browett, chief executive of DSG, to sign a formal undertaking to prevent a similar breach. DSG is required to undertake a number of steps, including reviewing its security procedures and training its staff on how to comply with the company’s security policies.

Earlier this week, the UK Financial Services Authority fined Zurich Insurance £2.2 million for failing to prevent the loss of customers’ confidential information.

Data Breaches

But the ICO itself has still has not issued any fines, despite naming and shaming a whole host of institutions and public service organisations that have been subject to data breaches. In June, for example, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

The ICO has warned businesses that if they do not own up to data breaches, they will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under new powers granted to the ICO in January.