The Information Commissioner's Office (ICO) has fined the Northern Ireland Department of Justice £185,000 after the Compensation Agency, which provides compensation to victims of terrorist action, auctioned off a filing cabinet containing the personal information of victims of terrorist attacks. The personal information in question included details of victims’ injuries, family and compensation received as well as confidential ministerial advice on awards.

The ICO investigation found that, while there was an expectation within the agency that personal data would be handled securely, the instructions and training given to staff were relatively limited given the sensitivity of the information handled by the department.

This case clearly amplifies the need for organisations to take common-sense steps to ensure that staff are fully trained in their data protection obligations and are aware of the need to take ownership of data protection risks. Nowhere is this more important than in organisations which process highly sensitive information.