Yesterday, 16th March 2017, the Information Commissioner's Office published a penalty notice detailing a data breach by a person described as a senior barrister. This case is of interest because it highlights the risks of using home based IT equipment when processing data of a sensitive nature.
The full decision notice is here: ICO Fines Barrister for Data Breach.
The main points of the decision are as follows:
- On the 5th January 2016 a local authority solicitor informed relevant people that sensitive documents were available online and that the author could be identified.
- The barrister, who specialises in Family law, had created documents on a home computer for work purposes.
- The home computer was password protected but the documents were not encrypted.
- Other family members had access to the home computer.
- On the 19th September 2015 the barrister's spouse uploaded the documents in question (725 of them) to an online directory to keep them safe while a software upgrade was performed on the home computer. An assumption was made that the documents were safe.
- The documents were visible to an internet search engine which indexed and cached 15 of them, 6 of which contained confidential and highly sensitive information relating to lay clients who were involved in proceedings in the Court of Protection and the Family Court.
- In total, between 200 and 250 individuals were affected by the breach including vulnerable adults and children.
- Upon notification that the documents were visible, they were removed immediately but had been available for some 3 months.
- Taking into account the co-operation and swiftness of action of the subject of this decision, the fine was reasonably small at £1000, this could have been much worse.
This case brings into focus the risks that are taken with sensitive data every day. There was no intention in the above case to contravene the Data Protection Act, there was no intention to be careless with sensitive information, however, the apparent lack of a robust governance system and appropriate training will have been significant contributory factors.
Questions to be asked by anyone who stores and processes personal information, considering the impact of this case are:
- How do we govern the storage of personal information?
- What guidance do we publish for our staff?
- What processes are in place to control access to stored information?
- Do we allow the use or personal equipment? If so how do we govern it and what is our risk?
You have declined cookies. This decision can be reversed.
You have allowed cookies to be placed on your computer. This decision can be reversed.