recent work

Yorkshire Building Society and DSG Retail in breach of Data Protection Act

It was reported on that The Information Commissioner has found Yorkshire Building Society to be in breach of the Data Protection Act after an laptop was stolen from containing customer data. reported that “The Information Commissioner’s Office (ICO) has found Yorkshire Building Society in breach of the Data Protection Act after an unencrypted laptop was stolen from its premises”. It also recently found DSG Retail, which owns Dixons and PC World, and Royal Wolverhampton Hospitals NHS Trust in breach of the Act for leaving customer details in a skip and losing a CD containing patient records, respectively.

In the Yorkshire Building Society case, the laptop belonged to the former Chelsea Building Society, which had recently merged with Yorkshire, and was stolen from its head office in Cheltenham. It contained a “substantial” part of Chelsea’s customer database.
Yorkshire Building Society hired private investigators to retrieve the laptop, which was recovered within 48 hours of the theft. Although forensic investigations found that none of the data had been accessed during that time, there were signs that there had been several attempts to do so. Prior to its theft, a Chelsea employee had been using the laptop for working from home, and then after being requested to do so, handed it in to a manager who returned the laptop to the Cheltenham office. The manager wrote down the computer’s passwords and left the details in a bag with the laptop under a desk overnight, and the laptop was stolen the next morning. However, in addition to the theft, the ICO found that the employee did not need access to all the data on the laptop to carry out their work.

Iain Cornish, chief executive of Yorkshire Building Society has signed an undertaking to ensure that such data security breaches do not occur again.

Although Yorkshire already has a policy of encrypting all its portable devices, this will now encompass the Chelsea business. Furthermore, all staff are to be made aware of the company’s policies for storing and using personal data, and staff will access only the data that they need to do their work.

Mick Gorrill, head of enforcement at the ICO, said: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.
“What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided.” However, he added: “I am satisfied that steps are now in place to prevent this happening again”.”

There are two main issues at work here that we often see when we visit companies:
1)      Data Security
a.       the laptop containing personal data was not sufficiently protected from unauthorised access;
b.      the laptop (and therefore the data) was not sufficiently well secured overnight;
c.       the passwords were stored with the laptop machine;
2)      Data management
a.       the laptop contained data that was un-necessary and which should have been removed earlier;
b.      staff were not aware of their responsibilities nor possible risks;
c.       there does not appear to have been a data governance system in operation at the Chelsea;
d.      “policy” is not being implemented in the field and without a data governance system in operation there is no way of finding out.

A systematic data governance system highlights these kinds of matters and many more and reduces data loss risks.  The costs of clearing up after a breach far out-weigh the costs of implementing such a system.