recent work

£200k fine – lack of awareness “no excuse”

A not for profit organisation was fined £200,000 by the Information Commissioner (ICO) after falling victim to a hacker who stole  10,000 records from a database behind their web site.  The hacker was subsequently jailed for 32 months – leaving the British Pregnancy Advisory Service (BPAS) with tough questions to answer.

BPAS claimed that they did not know what data was being collected on their web site and that it wasn’t therefore their fault that excessive and sensitive data was being kept in the database.  They also claimed that their web provider was in charge of security of the servers and that it was pretty much out of their control.

The ICO showed no sympathy and sent out a stern reminder that it is a data controller who is responsible for the data processing activities that are undertaken on their behalf.

Deputy Commissioner, David Smith said: “Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe.

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

Absolute Data Comment

I see lots of situations every week of organisations who have appointed web providers to manage their web sites and they have absolutely no idea of nor any control over what data is collected, how long it is stored and so forth.  Only last week, while carrying out an information search for a client following a Subject Access Request, we uncovered a situation where a web site provider had been “scraping” social media comment made by our client’s customers and storing them indefinitely in a web database.  Even when the poster had removed or modified the post – our client’s web provider retained a copy – effectively on behalf of our client – although they had no idea that this was going on!

I agree wholeheartedly with D avid Smith – if you have a web site YOU need to ENSURE that you know exactly what your appointed provider is doing in respect to data collection, storage, security etc.  A growing area of our work at Absolute Data is carrying out due diligence on behalf of companies into their supply chain, including their web site provider.