In yet another case of negligence, the ICO has slammed Southwark Council for losing data belonging to 7,200 people.
The Information Commissioner’s Office (ICO) found that Southwark Council had breached the Data Protection Act by losing a computer and papers during an office move in December 2009. No fine was imposed because the case was too old.
The ICO’s enquiries found that information handling and decommissioning policies were ignored when the offices were vacated. The council also failed to ensure that the information on the computer was encrypted. The information included names and addresses, as well as information relating to ethnic background, medical history and criminal convictions.
Acting Head of Enforcement, Sally Anne Poole stated that “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.”
The Council, which has agreed to overhaul its data security procedures and to be audited in 2012 to gauge its compliance, joins the other 105 councils, schools, trusts and businesses which have signed undertakings with the Commission since January 2010. The body has also issued three enforcement notices, conducted two prosecutions, and has only been able to issue fines to six organisations ranging from £1,000, issued to controversial anti-piracy lawyer Andrew Jonathan Crossley, to £120,000 issued to Surrey County Council.
ViaSat UK’s Chris McIntosh added “This data breach further demonstrates that organisations are still woefully complacent in their handling of sensitive information. The medical history and criminal convictions of thousands of constituents in Southwark Council is information that should never make it into the public domain and has the potential to seriously disrupt the lives of those affected. The further fact that the names and addresses of these individuals were on the unencrypted computer puts them at real risk of identity fraud. Public sector organisations such as this need to ensure that information security measures are not only implemented but more importantly followed. It is a shame that in this case the ICO is unable to use its powers to issue a financial penalty, as hopefully this will start to act as a real deterrent in the future.”
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…