Department of Justice, Northern Ireland receives a 185,000 pound monetary penalty notice from the Information Commissioner for disclosing sensitive information

February 13, 2014 |

Anyone who has been part of a big organisation when it moves to new premises knows how complex and difficult it can be.  Not only does each worker’s files have to be secured and furniture and computer equipment marked but the organisations myriad other stores of documents, records not to mention the more prosaic items from the tea room and the bosses drinks cabinet have to be marked, packed, moved and unpacked in vaguely the right place in the new premises.  Things can go awry when the planning is defective and the execution is sloppy.  As the Compensation Agency Northern Ireland (“CANI”), an administrative unit of the Department of Justice, discovered when it lost control of a mass of sensitive files left in a filing cabinet which it had sold at auction.  Net effect was a £185,000 monetary penalty notice issued by the Information Commissioner’s Office on 14 January 2014 (found here).

FACTS

CANI moved offices from Royston House in February 2012.  It decided to sell  any marketable furniture surplus to requirements at auction [4]. A locked four drawer filing cabinet was then taken out of storage in Royston House, without  its contents being checked,  sent to a shared storage room used by CANI to temporarily store all kinds of office furniture prior to its disposal. It was provided to a local auctioneer for a valuation, again without checking its contents. Apparently the key to the filing cabinet had been mislaid [5]. On 12 March 2012 it was  transported to the local auction and sold to a buyer.  The buyer then forced the lock and discovered that it contained official looking papers dating from the mid 1970’s to 2005.  The Police were called who took possession of the papers and returned them to CANI [6].

The official papers contained

  • a limited amount of confidential, ministerial advice; and
  • highly sensitive personal data relating to victims of a terrorist incident, the injuries suffered, their family details including addresses and in some cases the amount of compensation offered by CANI.

The Commissioner found that at the time  the only written instruction to staff in relation to this office move was a Chief Executive’s Notice stating:

‘Heads of Branch are asked to do a quick check around their offices to ensure that all cupboards, pedestals, cabinets etc. have been accounted for (know where they are going i.e. moving or staying) and that the contents have been packed or disposed of’.

 Now CANI has implemented detailed procedures for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another (including furniture that is locked and/or kept in storage).

DECISION

The ICO regarded paragraph 9 at Part II of Schedule 1 to the Data Protection Act as being the relevant provision.  It provides:

 “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –

 (a)    the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

 (b)  the nature of the data to be protected”.

 The Commissioner was satisfied that there had been a serious contravention of the Seventh Data Protection Principle, in particular that there had been a failure to take appropriate organisational measures against unauthorised processing and accidental loss of confidential and sensitive personal data.  That included a failure to have detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another.

 The contravention was serious because the Commissioner noted that an office move is normally a risky operation in terms of ensuring that personal data is handled securely during the move and it would be expected that there would be  much tighter controls in place bearing in mind the political and highly sensitive nature of the personal data contained in the filing cabinet.

The Commissioner was satisfied that the contravention was of a kind likely to cause substantial distress. Confidential and sensitive personal data was at risk of unauthorised processing and accidental loss due to the inappropriate organisational measures taken and given the nature of the information and the circumstances which led to it being held the failure to take appropriate organisational measures was likely to cause substantial distress to the data subjects even if this is simply by knowing that their confidential and sensitive personal data has been accessed by a buyer at auction who had no right to see that information. The Commissioner also found that the data subjects would be likely to be distressed by justifiable concerns that their data may be further disseminated even if those concerns do not actually materialise.

 Accordingly the Commissioner was satisfied that section 55A (3) of the Act applied in that the Department of Justice knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but failed to take reasonable steps to prevent the contravention. The Commissioner took this view because of the political and highly sensitive nature of the personal data contained in the filing cabinet and the fact that the Department of Justice   was used to dealing with such information and had taken some steps to safeguard the official papers by locking them in a fireproof filing cabinet in a storage room. The Commissioner was of the view that it should have been obvious to the Department of Justice that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved.

The Commissioner found the following aggravating factors were present:

  • An investigation revealed three other ‘near misses’ arising out of this office move
  •  Sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship.
  • The data controller is a public authority, so liability to pay any monetary penalty will not fall on any individual

In terms of mitigation the Commissioner took into account:

  • No evidence that the official papers have been further disseminated as far as the Commissioner is aware
  • Remedial action was  taken
  • the Department of Justice was fully cooperative
  • there was a full investigation
  • Liability to pay monetary penalty will fall on the public purse although the penalty will be paid into the Consolidated Fund
  • Significant impact on reputation of the Department of Justice as a result of this security breach.

The other relevant factor the Commissioner took into account was the Fifth Data Protection Principle at Part I of Schedule 1 to the Act was also contravened by the Department of Justice  in that data was kept for longer than was necessary for its purposes

ISSUES

The regulatory regimes differ as between Australia and the United Kingdom but the same broad principles apply regarding data storage, usage and security. Using the rubric of the Privacy Act given the sensitivity of the information it is highlly likely that this event would, in the Australian context, be a serious interference with privacy for the purpose of section 13G of the Act  (in effect as of 12 March 2014).

The advantage of reviewing these penalty notices and findings of the Canadian Privacy Commissioner and the FTC settlement orders is that they are quite analytical and contain more detailed reasoning than is the case with the relatively small number of decisions of the Privacy Commissioner, which tend to the cryptic.  Given the new regulatory regime the Federal Court will develop a body of jurisprudence in civil penalty proceedings.  The Federal Court has a long history in dealing with actions brought by the ACCC and/ASIC which will probably influence its approach. But there are many distinct and specific issues in privacy law which are not easily given over to the principles established in misleading and deceptive conduct cases or breach of fiduciary duties (to name but two forms of actions).  Privacy jurisprudence should be distinct and separate.  Developments in overseas jurisdictions may, and probably should, be considered in proceedings.  While the Privacy Commissioner will issue final guidelines on compliance it is for the Federal Court to consider, interpret and apply the law.

Another issue that arose in the investigation is the failure of the Department of Justice to destroy or de identify data.  The age of the documents ranged from 40 to 7 years old.  This compounded an already bad situation for the Department of Justice.

In addition to the monetary penalty this form of prosecution brings significant reputational damage.  The ICO issued a press release titled £185,000 penalty after filing cabinet containing details of terrorist incident sold at auction which was picked up and reported by the BBC (here),  in the US publication One News Page (here) and in the Belfast Telegraph (here)  to name some but not all the press coverage. This should be a salient lesson to the many organisations that remain non compliant with the amendments to the Privacy Act which will take effect in less than a month.

Leave a Reply