Peter A Clarke

The Information Commissioner’s office (the “ICO“) has entered into an enforceable undertaking with Thamesview Estae Agents who engaged in practices inconsistent with properly handling personal information and disposing of it securely, to wit it left transparent bags of documents containing personal information on the street for collection and disposal by a third party.  The contents of the bags could be viewed by passers by.

The press release provides:

The Information Commissioner’s Office (ICO) has taken action after a London estate agent continued to leave papers containing personal information on the street despite a previous warning.

On 11 December 2013, the ICO was informed that an outlet owned by Thamesview Estate Agents was leaving papers containing personal information in the street. The papers were stored in transparent bags and the information was clearly visible to anyone who walked past. The ICO warned the company that it must improve its compliance with the Data Protection Act by disposing of the information securely. 

On 13 March 2014, the ICO was contacted by the original complainant and informed that the outlet was still leaving its customers’ information in the street.

The ICO found that the estate agent’s staff were not aware that they were acting in breach of the company’s guidance on the secure disposal of confidential waste. Thamesview Estate Agents also had no contract in place with the companies hired to securely dispose of their branches’ confidential waste.

ICO Head of Enforcement, Stephen Eckersley, said:

“Customers of Thamesview Estate Agents will be rightly concerned that their information was left on a street for all to see. The papers visible to the public included copies of customer’s passports and details of previous tax payments. This could be all a fraudster would need to steal someone’s identity. 

“Despite a previous warning from our office, the company failed to address this issue. This is why we’ve served the business with an undertaking committing them to improving the way they handle their customers’ information.” 

Thamesview Estate Agents have signed an undertaking committing the company to making sure that all of its branches keep the personal information of their customers secure. They must also introduce refresher training for all of their staff by 31 December 2014 and make sure that they have formal contracts in place with any companies responsible for destroying their customers’ information.

The undertaking provides:

1. Thamesview Estate Agents Ltd is the data controller as defined in section 1(1) of the Data Protection Act 1998 (the‘Act’), in respect of the processing of personal data carried out by Thamesview Estate Agents Ltd and is referred to in this Undertaking as the ‘data controller’. Section 4(4) of the Act provides that,subject to section 27(1)of the Act, it is the duty of a data controller to comply with the data protection principles in relationt o all personal data inrespect of which it is a data controller.

2. The Information Commissioner (the ‘Commissioner’) received an email from a Community Support Officer of the Metropolitan Police Service on 11 December 2013, which stated that an estate agent,Robertson, Smith& Kempson,which is one of the data controller’s brands,was insecurely disposing of personal data in transparent refuse sacks left in the street.The complainant had brought the issue to the datacontroller’s attention the previous week, however he had observed that data continued to be left in the street over a number of subsequent days. The Commissioner contacted the data controller on 24 December 2013 to instruct it not to dispose of personal data in this insecure manner.In spite of this, a further incident was observed by the complainant on 12 March.This too was reported to the Commissioner.

3. Photographs provided by the complainant showed that transparent refuse sacks were left unattended outside the front of the data controller’s premiseswithdocumentscontainingpersonal data clearly visible inside them.Whilstrelativelylittle ofthe personal data contained in the sacks was sensitive personal data, as defined by section 2 of the Act, the sample of personal data provided by the complainant showed that personal data such as copies of passports and tax credit awards were contained within the sacks,which could have been used for the purposes of identity fraud.

4. By way of enquiries it was established that staff were insufficiently aware of the data controller’s policies around the disposal of confidential waste. Confidential waste was stored within the data controller’s premises in a way that allowed staff andcontractors who hadnolegitimate reasonto handlethispersonaldata to access it. Additionally,whilst it was not of direct relevance to the circumstances of this incident,it was established that the data controller did not have a contract with the data processors they used to securely dispose of the data as required by the seventh Data ProtectionPrinciple. This is of concern to the Commissioner as whilst one of the data processors destroyed data on site,the other removed data from the premises to destroy off site.This data was therefore at risk once it had left the data controller’s premises.

5. The Commissioner has considered the data controller’scompliance withtheprovisions of the Act in the light of this matter.The relevant provision of the Act is the Seventh Data Protection Principle. This Principle is set out in Schedule 1 Part I to the Act.

6. Following consideration of the remedial action that has been taken by the data controller,it is agreed that in consideration of the Commissioner not exercising his powers to serve an Enforcement Notice under section 40 of the Act,the data controller undertakes as follows:

The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule1 to the Act, and in particular that:

(1)               The data controller shall introduce formal,mandatory refresher data protection training for all staff who handle personal data by 31 December 2014.This shall occur on a regular, preferably annual basis to ensure that all staff are aware of the data controller’s policies around the handling of personal data.

(2)               The data controller shall review its arrangements for storing confidential waste prior to collection by the disposal company and implement any remedial measures required by 31 December 2014 in order to reduce the risk of confidential waste being inappropriately accessed prior to being collected for disposal.

(3)               The data controller shall keep a written record of the data processors it uses to process personal data on its behalf.The data controller shall enter into a written contract with any data processor it uses to securely dispose of or otherwise process its personal data asset out in paragraph 12 of Part II of Schedule 1of the Act.

(4)               Thedata controller shall continue to review its policies and procedures and implement any actions identified as being required to achieve compliance with the Act by 31 December 2014.

(5)               Thedata controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction,and/or damage.