Southwark Council Found Guilty Of Data Breach

In yet another case of negligence, the ICO has slammed Southwark Council for losing data belonging to 7,200 people.

The Information Commissioner’s Office (ICO) found that Southwark Council had breached the Data Protection Act by losing a computer and papers during an office move in December 2009. No fine was imposed because the case was too old.

Left behind and forgotten

According to a statement released today, the unencrypted iMac and other documents were left in the vacant building for two years before being discovered by the building’s new tenants in June and thrown into a skip.

The ICO’s enquiries found that information handling and decommissioning policies were ignored when the offices were vacated. The council also failed to ensure that the information on the computer was encrypted. The information included names and addresses, as well as  information relating to ethnic background, medical history and criminal convictions.

Acting Head of Enforcement, Sally Anne Poole stated that “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.”

The Council, which has agreed to overhaul its data security procedures and to be audited in 2012 to gauge its compliance, joins the other 105 councils, schools, trusts and businesses which have signed undertakings with the Commission since January 2010. The body has also issued three enforcement notices, conducted two prosecutions, and has only been able to issue fines to six organisations ranging from £1,000,  issued to controversial anti-piracy lawyer Andrew Jonathan Crossley, to £120,000 issued to Surrey County Council.

ViaSat UK’s Chris McIntosh added “This data breach further demonstrates that organisations are still woefully complacent in their handling of sensitive information. The medical history and criminal convictions of thousands of constituents in Southwark Council is information that should never make it into the public domain and has the potential to seriously disrupt the lives of those affected. The further fact that the names and addresses of these individuals were on the unencrypted computer puts them at real risk of identity fraud. Public sector organisations such as this need to ensure that information security measures are not only implemented but more importantly followed.  It is a shame that in this case the ICO is unable to use its powers to issue a financial penalty, as hopefully this will start to act as a real deterrent in the future.”