I assume data protection officers are telling their employers about the Monetary Penalty Notice when it arrives on April 6th. Indeed, the first hapless data controller who loses unencrypted confidential or sensitive personal data can be expected to gain a special place in UK data protection history. So it might be worth mentioning that being first in this category will be remembered; "numero uno" is a PR disaster in the making.
If you look at the Commissioner’s web-site you find several examples of data controllers who are lucky that their “incident” happened before April. For example, in mid January this year Lancashire County Council left social work records containing sensitive personal data relating to several individuals in a filing cabinet purchased second-hand by a member of the public, whilst Bellgrange Mortgages and Insurance Services Ltd placed clients’ details in two large waste bins intended for the use of local residents.
One of my favourites is the disposal of old computers belonging to Camden Primary Care Trust (PCT) containing 2,500 individuals’ names, addresses and medical diagnoses; last seen they were left standing (lovingly and invitingly) beside a skip inside the grounds of St. Pancras Hospital. Also lucky was Dr Paul Thomas of the Gipping Valley Practice; this followed the discovery of a Practice server in the car park of the Practice by someone who had the common sense to know that things should not happen this way.
However, readers might want to use an example where there was actually a fine – hence this Blog. It comes from the USA, but the security story is depressingly familiar. A mortgage broker discarded consumers’ personal financial records in a skip and paid a $35,000 civil penalty for the pleasure of settling Federal Trade Commission (FTC) charges.
According to an FTC, the defendant improperly disposed of about 40 boxes of sensitive consumer records collected by companies he had owned, including tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers’ licenses, and at least 230 credit reports. In addition, two mortgage brokerage companies he previously owned failed to provide reasonable and appropriate security for sensitive consumer information, despite promising they would do so.
This engaged the unfair processing angle much beloved of the FTC. Ask yourself a question: “is it unfair for a data controller to sign an undertaking and then renege on its commitments?”. I only mention this to say that “the unfairness approach” has yet to be aired by the Commissioner on this side of the pond. But I think it works!
In addition to imposing a $35,000 penalty, the FTC barred the defendant from misrepresenting measures taken to protect sensitive consumer information and failing to take reasonable measures to protect credit report information during its disposal. The order also requires him to employ a comprehensive information security program for sensitive consumer information, and to hire an independent, third-party security professional to review the program every year for 10 years to ensure that it meets or exceeds the order’s requirements.
Nothing really to add – except, get the message around; "don’t be first!".
Reference: we will be reviewing recent Undertakings in the next Data Protection Update sessions, held with our ex-colleagues at Pinsent Masons. The events are held at Pinsent Masons offices at:12 April (London); 26 April (Manchester) and 10 May 2010 (Edinburgh). The cost will be a recession busting £95+VAT (and you get Sue and I for the day). We hope to publish an agenda at by mid February; details on www.amberhawk.com.
Comments
You can follow this conversation by subscribing to the comment feed for this post.