The importance to charities of cyber security and data protection has been emphasised by the recent experience of the British Pregnancy Advice Service (BPAS). The BPAS website invited people to request a call back for advice about their services, which include contraceptive advice, abortion, counselling, STI screening, sterilisation, vasectomy and treatment for erectile dysfunction. A computer hacker was able to get access to personal details of about 9,900 people who had registered for this call back service and threatened to publish their names.

The computer hacker received a prison sentence of 32 months for this criminal activity. The BPAS received a £200,000 fine for its serious breach of the Data Protection Act 1998 (DPA).

So what did the BPAS do wrong? Well, the BPAS did not realise its website was storing the names, addresses, dates of birth and telephone numbers of people who requested a call back for advice on pregnancy. This meant that:

  • Breach No.1 of the DPA - the BPAS had not taken appropriate technical and organisational measures to protect against unauthorised access to the personal data stored on their website. The hacker was able to get access to the personal data of around 9,900 people using tools widely available on the internet that target well-known vulnerabilities in websites due to poor website coding practices.
  • Breach No.2 of the DPA - the call back details were kept for five years longer than necessary for the purpose for which they were obtained.

These contraventions of the DPA put confidential personal data at risk of unauthorised disclosure, which would be likely to cause substantial damage or distress. The Information Commissioner's Office (ICO) has the power to impose monetary penalties of up to £500,000 for serious breaches of the DPA. When assessing the level of fine appropriate for the BPAS, the ICO took into account the fact that the BPAS undertakes charitable work, as well as providing services on behalf of the NHS. However, the ICO still felt that a fine of £200,000 was reasonable and proportionate given the particular facts of the case.  The ICO is sending out a clear message that charities and social enterprises should ensure they are fully aware of what personal data they hold, and take appropriate steps to keep that data secure.