The data protection gaffes of 2011
A look back at some of the worst infringements of data protection by businesses and the public sector last year
A number of high profile organisations fell victim to sophisticated, targeted security attacks in 2011, proving that there are indeed bad guys out there trying their best to steal valuable information.
At the same time, there was abundant evidence that when it comes to data protection, organisations are often their own worst enemies. The extent of the issue was evident in the wide range of organisations that suffered data protection gaffes during 2011.
One of the country’s best known brands – Barclays Bank – suffered a string of data protection embarrassments during the year.
In June, Which? Money published a study of data protection complaints against banks. It found that Barclays Bank topped the list, with 116 legitimate complaints to the Information Commissioner's Office in 2010, just above Lloyds with 114 complaints. The most common breaches by banks, the study found, were failures to respond to subject access requests.
In September, a former Barclays employee was found guilty of illegally accessing a customer’s data. The woman, the wife of a convicted sex offender who abused her position to find out details of her husband’s victim, had chosen to “ignore training [Barclays] provide”, the bank said. “All staff receive annual training on the importance and regulatory requirements of the Data Protection Act and the consequences of any breach"
But Barclays was in the headlines again in November, when it emerged that a woman applying for a mortgage had her credit rating damaged by a glitch in the bank's credit checking software. The system accidentally accessed the woman's credit history multiple times, prompting her score to deteriorate.
The ICO found that it was "unlikely that Barclays has complied with the requirements of the [Data Protection Act]", but did not take any action against the bank.
Nevertheless, the deputy information commissioner David Smith did call on the banking sector to improve its data protection practices. "Getting it right on data protection doesn’t just mean keeping data secure," he said at an event held in June by the British Banker’s Association. "The law also gives individuals an important right to remain in control of their information. I want to remind banks of the need to take this obligation seriously, providing full responses in a timely manner.”
In March, retail, banking and services conglomerate the Co-operative Group apologised after details of 83,000 customers of its funeral planning service were accidentally published online. It blamed the episode on a contractor but it was nevertheless an embarrassing gaffe for the Co-op, which also launched a legal advice service this year.
Healthcare and local government
The healthcare sector was once again a conspicuous data protection offender. In August, for example, a hospital in Dublin was forced to admit that patient records had been subject to "unauthorised access and disclosure" after being sent to the Philippines for transcription, having initially described reports of the breach as "unsubstantiated".
Tallaght Hospital revealed that although its policy was that patient identifiers should not be used in reports or letters, and that information sheets be maintained to track each report, neither of these policies had been followed in practice.
It would be unfair to blame London Health Programmes, a division of NHS North Central London (NHS NCL), for having 20 of its laptops stolen from a storeroom. But the fact that one of the laptops contained 8.6 million patient records, reported by The Sun newspaper to have been unencrypted, and that the incident was only reported to police three weeks after the laptop went missing, does justifiy criticism.
Local government had its fair share of data protection transgressions. An analysis of over 100 local authorities by activist group Big Brother Watch revealed in November that they had collectively suffered 1,035 data breaches since 2008, although only 53 were reported to the ICO. These breaches included the loss of 244 laptops, 98 memory sticks and 93 mobile devices.
The council named as the ‘worst offender’ in Big Brother Watch’s report, Buckinghamshire County Council, complained that it was simply the victim of its own rigorous breach reporting practices.
Clearly, though, local government is struggling with data protection as much as any other sector. And in this case, the ICO is prepared to take rigorous action.
In December, the watchdog fined Powys County Council a record £130,000 after sensitive information relating to child protection case was mailed to the wrong recipient. The information had been picked up accidentally from a shared printer.
The reason for the severity of the fine was not only the sensitivity of the data in question, but the fact that a similar breach had occurred at the council a year before, but it had not taken on the recommendations that the ICO had given at the time.
The fact that the ICO pursues organisations such as Powys County Council while some financial institutions seem to go unpunished drew criticism during the year.
That was compounded during the Leveson enquiry into press standards, when a former police officer alleged that the ICO had enough evidence to crack down on an entire supply chain of stolen personal data, from corrupt government employees, through fences and to journalists. But, they alleged, the commissioner felt that newspapers were powerful a target to pursue.
At the end of the year, the ICO addressed some of these concerns in a strategy document. “We cannot address all risk to the upholding of information rights equally,” it said. “This means we have to take account of factors such as the volume, nature and sensitivity of information involved, and the number of people whose information rights might be impacted.”
Elsewhere in the document, it explained that “education, awareness raising and the provision are key activities for us. This is how we can maximise our impact.”
But thanks to public data breaches such as the above, most IT professionals are aware of their obligations to uphold data protection and privacy rights. The challenge for 2012 then, for organisations and the ICO, is to understand how that organisational knowledge can conveyed to every individual, and how technological measures can be used to uphold the information rights of citizens and customers.