UK recruitment agency Manpower has agreed to improve its data protection practices after an employee accidentally emailed personal data of 400 individuals to inappropriate recipients.
The data was contained in a spreadsheet that was sent to 60 employees. "The employee had initially believed that the spreadsheet contained only the employee numbers of those 60 staff," according to an undertaking published last week by the Information Commissioner’s Office.
The personal data was not considered to be "sensitive" as defined by the Data Protection Act. However, the ICO found that the employee "had not given sufficient consideration to the security of the personal data".
The ICO decided not to fine Manpower but the company has agreed to "ensure that personal data is processed in accordance to the [Data Protection Act]".
Specifically, it has agreed to make sure that all staff are aware of its data protection policy and how to follow it; that personal data transmitted over the Internet should either be password protected or encrypted; that data protection compliance is regularly monitored; and that Manpower will implement any necessary data security measures.
Hays, one of Manpower’s competitors, suffered a similar data breach in August last year when an employee sent payment details of 3,000 contractors it supplies to Royal Bank of Scotland to 800 of the bank’s employees.
Earlier this month, drug giant AstraZeneca was forced to reiterate its financial guidance after confidential data was accidentally left in a spreadsheet sent to investment analysts.