Following the recent news that the Information Commissioner's Office is to investigate whether Oliver Letwin breached the Data Protection Act (DPA) by throwing away constituents' letters and other documents in a park bin, here are some past examples of DPA breaches in this area. In each case the organisations concerned were required to sign formal undertakings to improve their future compliance.
- September 2011 Walsall Council
Postal vote statements were accidentally disposed of by a contractor in a skip. The Council did not have a written data processing contract with the contractor.
- April 2011 Norwich City College
Student files scheduled for secure destruction were placed in black bin bags and subsequently disposed of in a skip. The lack of a confidential waste policy led to a lack of practical awareness by staff, which resulted in the breach.
- March 2011 Wolverhampton City Council
Personal data was incorrectly disposed of in a skip by staff who failed to recognise the confidential nature of the information. The skip was subsequently stolen and the information dumped on a local industrial estate by the thieves.
- March 2007
13 major financial and other organisations (including most of the UK's major High Street banks) were each found to have dumped personal data in bins outside their premises.
The main lessons to take from these examples are:
- Implement a policy for the handling and disposal of confidential waste. Train staff to follow the policy and monitor compliance on a regular basis.
- Staff training must create a general awareness that all documents containing personal data should be treated as confidential.
- Contractors entrusted with disposing of personal data must be thoroughly vetted, required to enter into a suitable data processing agreement and monitored for compliance.