A UK Historical Society fined for data breach by the Information Commissioner’s Office
November 14, 2016 |
Data breaches through lost or stolen lap tops or other BYODs (bring your own devices) is quite common. Unlike lost paper documents it is possible to lose a significant amount of data held in digital form. Which is what happened to a Historical Society recently. The Information Commissioner has issued a Monetary Penalty Notice, fining the Historical Society £500.
The media release provides:
The ICO has fined a historical society after a laptop containing sensitive personal data was stolen whilst a member of staff was working away from the office. The laptop, which wasn’t encrypted, contained the details of people who had donated artefacts to the society. An ICO investigation found the organisation had no policies or procedures around homeworking, encryption and mobile devices which resulted in a breach of data protection law.
Under the the Monetary Penalty Notice :
- an administrative officer (“Officer”) working for the Historical Society lost a laptop [9]. It was not encrypted.
- The break in was reported to the police.
- The laptop contained (among other things) a list of individuals who had donated or loaned artefacts to the Historica l Society [12]
- the Historical Society did not have in place any policies regarding encryption, homeworking and the storage of mobile devices [18(c)]
- The ICO regarding the breach as serious due to the number of affected individuals, the highly sensitive nature of some of the personal data that was held on the laptop and the potential consequences. [22]
- The Officer was required to hold personal data relating to – individuals on the laptop. Mobile devices such as laptops have a high risk of loss or theft and therefore require adequate security measures to protect the personal data [25]
- when information of a highly sensitive nature is concerned – in particular, as regards who expected that it would be held securely there is a heightened the need for robust measures – in technical or organisationa lterms – to safeguard against unauthorised or unlawful access and accidental loss [26]
- the Commissioner considered that the Historical Society knew or ought reasonably to have known that the contravention would be of a kind likely to cause substantial damage or substantial She is satisfied that this condition is met, given that the Historical Society was aware of the highly sensitive nature of some of the information that was held on the laptop. The Historical Society ought to have known that it would ca use substantial distress if the information was used in ways [39]
- the Historical Society failed to take reasonable steps to prevent the contravention. Reasonable steps would have included issuing the Officer with an encrypted laptop and putting in place policies governing the use of encryption, homeworking and the storage of mobile devices. The Historical Society did not take those steps [42]
- in mitigation the Commissioner considered 3 relevant factors;
- The laptop was password
- The information had not been further disseminated;
- a monetary penalty may have a significant impact on the Historical Society’s reputation [52]
[…] A UK Historical Society fined for data breach by the Information Commissioner’s Office […]