Data Protection Consulting

In August 2011 cosmetics retailer Lush was found to have breached the Data Protection Act when it was discovered that its website had been hacked over a four month period.  Hackers had been able to access the payment details of 5,000 customers who had shopped with Lush online.  The security of the website was found to be inadequate and the systems of recording suspicious activity on the website were insufficient leading to the delay in identifying the problem.  The ICO said that online retailers must meet the Payment Card Industry Data Security Standards "or provide equivalent protection when processing customers' credit card details".  

The Seventh Principle sets out the requirement for "appropriate" security for personal data processing operations. The ICO's statement underlines that the appropriate level of security for credit and debit card details is to meet PCI DSS.

Also in August 2011 two London Housing Associations were found to have breached the Data Protection Act when an unencrypted memory stick was left in a pub.  The memory stick held details relating to thousands of tenants.  It belonged to a contractor who was carrying out work for Lewisham Homes and had previously worked for Wandle HA.  Both RSL’s have given undertakings to ensure that all portable data storage devices are encrypted.  They will also remind staff of current policies and procedures and monitor against those.

The Association of School and College Leaders was found to be in breach of the Act when a laptop containing sensitive personal data was stolen.  The laptop had encryption software but the employee had failed to activate the encryption for those documents.Holly Park School in Barnet also breached the Act when an unecrypted laptop was stolen from a locked office.  It held personal data and sensitive data relating to the health of some pupils.  This underlines that the required standard of security for personal data on a portable storage device is encryption, locking the device out of sight is not sufficient.

In October 2011, Dartford and Gravesham NHS Trust were found to be in breach of the Act after accidentally destroying 10,000 archived records.  The records should have been kept in a dedicated storage area but were moved due to shortage of space and then accidentally destroyed.  The Trust confirmed that the loss of the records did not pose a clinical risk to data subjects. 

Also in October 2011 Dumfries and Galloway Council was found to have breached the Data Protection Act by accidentally publishing workers details to their website in response to a Freedom of Information request.  The details published included names, dates of birth, and the salaries of around 900 employees and ex-employees.  The Council was slow to react to complaints from individuals, the information was available online for 2 months or so.

Spectrum Housing Group were found in breach of the data Protection Act in October 2011 by accidentally emailing an excel spreadsheet containing employee data to the wrong email recipient.

All of these cases make good examples for staff training to remind them of the risks inherent in handling personal data.