25 September 2015

Yesterday the ICO issued an undertaking to a Scottish law firm in Ayr, after the loss of a DVD which contained footage relating to a criminal trial, provided by the Crown. The DVD was not encrypted by the Crown, although the ICO did not comment on this in the Undertaking. The DVD seems to have been picked up by another solicitor, apparently as a favour to the intended recipient, since that solicitor was closer to the prosecutor’s office, but it was then lost and never reached the solicitor for whom it was intended.

The ICO did not indicate that there had been a breach of the seventh data protection principle (data security to be achieved by use of appropriate technical and organisational measures) although that is implied by its use of an undertaking. Given that the law firm was dealing with ‘sensitive’ information this is even more important and in our view they were lucky not to receive a monetary penalty.

The ICO said there had been “a number of shortcomings in the organisation’s procedures” including a lack of guidance, a lack of training and the lack of a formal procedure for collecting personal data outwith the office. Therefore the law firm undertook to do the following within three months:

1. Produce appropriate procedures for the collection of paper and electronic media containing personal and sensitive personal data from third parties;
    
2. Safeguards are put in place to ensure that encryption is used where appropriate;
    
3. A Data Protection Policy is implemented;
    
4. Staff are made aware of this policy and are trained as to how to follow that policy;
    
5. Staff responsible for the handling of personal data are given appropriate, specific training upon induction and this training is refreshed annually;

Finally the company undertook to implement appropriate security measures to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

This undertaking highlights the simple training measures that ought to be taken by all data controllers and the significant obligations on them to ensure that any third party acting on their behalf takes the same approach to data security.

It is also worth noting that the Crown is routinely providing evidential information on unencrypted DVDs and we do wonder if they have received advice from the ICO about that approach?

The Undertaking can be found here: https://ico.org.uk/action-weve-taken/enforcement/martin-and-company/