Today saw the ICO issue an all too familiar press release, about an all too familiar tale - a business reports the loss of an unencrypted disk which contains the personal details of individuals.
In this case however, not only did Jubilee Managing Agency Limited, a Kent insurance company, suffer the loss of the personal details of approximately 2100 UK policy holders, it had to admit that some of the 'lost' data was in fact 10 years old and was clearly out of date, with some of the policy holders being dead or having moved address!
An independent review of the company's policies and procedures found that Jubilee Managing Agency Limited was deficient in these areas and was also lacking in staff training.
Sally-anne Poole, Head of Enforcement & Investigations at the ICO, said:
“This case is not only a reminder that the appropriate safeguards should be in place to protect personal information, but that organisations must ensure information is accurate and up to date. Organisations should only retain personal information for as long as necessary. It is a matter of some concern to us that expired policies, including financial details, were still available and stored on unencrypted devices". The ICO have reported that in the private sector alone, 161 data security breaches have been notified to the ICO in the last 20 months and the ICO is keen to see data protection "treated as a corporate governance issue affecting the whole organisation".
The insurance company have now signed a number of undertakings whereby, in summary they shall:
- ensure that appropriate technical measures are put in place including the encryption of personal data held on moveable media;
- put in place suitable written procedures;
- ensure personal data is not kept longer than is necessary;
- improve its data protection training of staff;
- ensure where processing of personal data by third parties on behalf of Jubilee, that the processing is carried out in compliance with principle seven of the Data Protection Act;
- and finally, that it puts in place such technical measures as are necessary to prevent the unauthorised or unlawful processing, loss, destruction and or damage of personal data.
The undertakings can be viewed in full at:
The ICO can take enforcement action where undertakings are not complied with.