If you browse the Information Commissioner’s Office (ICO) website you will likely find yourself shocked and in disbelief at some of the personal data breaches it has ruled upon and in most cases, named and shamed the culprits. Some of the most surprising instances that we have read about are those breaches committed by public service organisations, including local authorities, the Crown Prosecution Service and, believe it or not, the police.
Organisations that many would argue should know better, given the amount of responsibility they have to look after society’s often most vulnerable people. This goes to show that data breaches really can happen to any organisation. In many cases, human error is to blame, proving that clear, well communicated and understood data protection policies are vital in any organisation, and must be followed.
Here are some of the most shocking breaches reported and fined by the ICO.
It is worth pointing out that with the GDPR now in force, the fines reported on below would be a lot more severe.
Bayswater Medical Centre:
Bayswater Medical Centre left highly sensitive medical records in an empty building. The information held there contained personal information such as, patients’ medical history, prescriptions and patient-identifiable medicine. Due to the building being left unsecured for 18 months, anyone could have wandered in and stolen any of the data held there.
The ICO fined them £35,000.
Crown Prosecution Service:
The Crown Prosecution Service (CPS) lost 15 unencrypted interviews when they were delivered and left in reception, without being signed for. They had the ability to encrypt said interviews and have now lost the testimony of 15 children.
The ICO fined them £325,000.
The Humberside police lost 3 copies of an alleged rape victim’s interview. Not only did these disks detail the incident but stated her name, D.O.B, address, medication and mental state, and the name of the friend that accompanied her.
The ICO fined them £130,000.
Nottinghamshire County Council:
Nottinghamshire County Council was reported to the ICO by a member of the public who was concerned for the safety of the people under care of their ’home care allocation system’. Due to there being no access controls on the website (username or password), anyone could gain access to the directory. This directory specified people’s gender, addresses, postcode, personal care needs and care package needs.
The ICO fined them £70,000.
London Borough of Islington:
The London Borough of Islington failed to keep 89,000 people’s data secure and resulted in 119 documents being accessed and 71 users having their details viewed.
The ICO fined them £70,000.
Chief Constable of Dyfed-Powys Police:
The Dyed-Powys police force were reported to the ICO by a member of the public who had received an email, by error, detailing the names, addresses, phone numbers and email addresses of eight sex offenders.
The ICO held the Chief Constable responsible and fined Dyfed-Powys police £150,000.
We hope this article has shown you that it isn’t only Cyber-attack breaches that result in being fined by the ICO. A breach is a loss of personal data, whether caused by human error or a Cyber-crime, it will result in a fine. With GDPR now in place the fines these organisations will have been much more severe.