In yet another case of negligence, the ICO has slammed Southwark Council for losing data belonging to 7,200 people.
The Information Commissioner’s Office (ICO) found that Southwark Council had breached the Data Protection Act by losing a computer and papers during an office move in December 2009. No fine was imposed because the case was too old.
The ICO’s enquiries found that information handling and decommissioning policies were ignored when the offices were vacated. The council also failed to ensure that the information on the computer was encrypted. The information included names and addresses, as well as information relating to ethnic background, medical history and criminal convictions.
Acting Head of Enforcement, Sally Anne Poole stated that “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.”
The Council, which has agreed to overhaul its data security procedures and to be audited in 2012 to gauge its compliance, joins the other 105 councils, schools, trusts and businesses which have signed undertakings with the Commission since January 2010. The body has also issued three enforcement notices, conducted two prosecutions, and has only been able to issue fines to six organisations ranging from £1,000, issued to controversial anti-piracy lawyer Andrew Jonathan Crossley, to £120,000 issued to Surrey County Council.
ViaSat UK’s Chris McIntosh added “This data breach further demonstrates that organisations are still woefully complacent in their handling of sensitive information. The medical history and criminal convictions of thousands of constituents in Southwark Council is information that should never make it into the public domain and has the potential to seriously disrupt the lives of those affected. The further fact that the names and addresses of these individuals were on the unencrypted computer puts them at real risk of identity fraud. Public sector organisations such as this need to ensure that information security measures are not only implemented but more importantly followed. It is a shame that in this case the ICO is unable to use its powers to issue a financial penalty, as hopefully this will start to act as a real deterrent in the future.”
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…