The Information Commissioner’s Office (ICO) is the U.K.'s national regulatory authority for data protection. As an independent public body, sponsored by the Ministry of Justice, it is responsible for enforcing U.K. legislation, including the Data Protection Act of 1998 (DPA).
The list of 2009 ICO decisions involving data controllers and processors already contains a large number of entries compared to the previous two years. Many of the Enforcement Notices issued by the ICO relate to security breaches arising from the loss and misuse of laptops, computer memory sticks, and data storage discs. Security problems have been most prevalent in two particular fields, healthcare and education, and the vast majority of Enforcement Notices seem to be recorded against National Health Service (NHS) Hospital Trusts, Primary Care Trusts (PCTs), and universities or colleges. These institutions manage large amounts of personal data, including personal data defined as “sensitive” by the DPA.
Organizations such as these must comply with the DPA, including eight data protection principles contained in Schedule 1. The seventh data protection principle requires organizations to take appropriate measures to ensure the security of data, the level of which must generally be appropriate to the nature of the data to be protected and the harm that might result from unauthorized or unlawful processing or accidental loss, destruction, or damage.
Under the seventh principle, the ICO has issued a series of recent Enforcement Notices, including:
- Leicester City Council recently signed a formal undertaking agreeing to comply with the seventh data protection principle following the loss of an unencrypted memory stick containing sensitive personal data relating to children at a nursery run by the council.
- Cambridge University Hospital NHS Foundation Trust, Central Lancashire PCT, North West London Hospitals NHS Trust, and Hull & East Yorkshire Hospitals NHS Trust all signed formal undertakings to process personal data in line with the DPA and agreed to improve security measures to protect personal information by ensuring that all portable and mobile devices used to store and transmit personal data are encrypted.
- Doncaster PCT recently agreed to comply with the seventh principle of the DPA after a doctor’s voice recorder system, which held 220,000 clinical voice records relating to patients, was removed without authorization. Although the server was returned and records may not have been accessed, Doncaster PCT was found liable for the security breach.
- Leasowes Community College was recently found to be in breach of the seventh data protection principle following the loss of an unencrypted USB memory device that contained personal data of 1,500 college students. In this case, the device was recovered after being found by a member of the public.
- The University of Manchester has signed a formal undertaking to comply with the seventh data protection principle after a spreadsheet containing personal data of 1,755 students was accidentally emailed to 469 students.
In terms of enforcement, the ICO’s powers are relatively limited and focus on ensuring organizations meet their obligations under the DPA. As such, most cases involve the requirement that organizations agree to comply with the DPA and its principles.
Still, organizations need to be aware of their obligations under the DPA and ensure that those handling personal data are similarly aware of the risks involved in security breaches. Data must be kept secure by appropriate methods, which is likely to mean password protection, the use of encryption, and the need to safeguard laptops and portable storage devices against unauthorized use, theft, and loss.