The UK Information Commissioner’s Office (ICO) has found Yorkshire Building Society in breach of that country's Data Protection Act after an unencrypted laptop was stolen from the Society's premises.
It also recently found several other organisations in breach of the Act for leaving customer details in a skip and losing a CD containing patient records, respectively.
In the Yorkshire Building Society case, the laptop belonged to the former Chelsea Building Society, which had recently merged with Yorkshire, and was stolen from its head office in Cheltenham. It contained a “substantial” part of Chelsea's customer database.
Yorkshire Building Society hired private investigators to retrieve the laptop, which was recovered within 48 hours of the theft. Although forensic investigations found that none of the data had been accessed during that time, there were signs that there had been several attempts to do so.
Prior to its theft, a Chelsea employee had been using the laptop for working from home, and then after being requested to do so, handed it in to a manager who returned the laptop to the Cheltenham office. The manager wrote down the computer’s passwords and left the details in a bag with the laptop under a desk overnight, and the laptop was stolen the next morning.
However, in addition to the theft, the ICO found that the employee did not need access to all the data on the laptop to carry out their work.
Iain Cornish, chief executive of Yorkshire Building Society has signed an undertaking to ensure that such data security breaches do not occur again.
Although Yorkshire already has a policy of encrypting all its portable devices, this will now encompass the Chelsea business. Furthermore, all staff are to be made aware of the company’s policies for storing and using personal data, and staff will access only the data that they need to do their work.
Mick Gorrill, head of enforcement at the ICO, said: “It is extremely concerning that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.
“What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided.”
However, he added: “I am satisfied that steps are now in place to prevent this happening again.”
Separately, DSG Retail was found to be in breach of the Data Protection Act when a local authority’s environmental health department reported the discovery of eight completed credit agreements, which contained personal and financial data, in and near a skip at one of the company’s PC World stores.
Although the agreements were found in January 2010, they related to transactions that took place two years earlier. Not only had the documents been retained beyond the period that DSG recommends, but they were not disposed of according to DSG’s usual, more secure procedures, that is, by transporting them in sealed containers to a central facility for secure shredding.
Based on this incident, the ICO decided that DSG had not provided sufficient data protection training to its staff.
Consequently John Browett, chief executive of DSG, has signed an undertaking to carry out a review of its security measures and ensure that its staff who have access to personal data are made aware of, and given full training about, the company’s policies for storing, using, retaining and disposing credit agreements.
Meanwhile, it was a newspaper report on 14 May 2010 that alerted the ICO to the Royal Wolverhampton Hospitals NHS Trust’s breach of the Data Protection Act.
The newspaper said it had received an unencrypted CD containing details of 112 patients, allegedly found at a bus stop near the hospital, from an anonymous source. The CD, which had no password protection, contained scans of patient charts from the intensive care unit of the Royal Wolverhampton’s Heart and Lung Unit. The data was several years old.
Although the hospital carried out an investigation into the incident, it was unable to find out how the CD was made. The ICO found that the hospital had some weak points in its procedures, including that patient charts released to consultants on request were not chased for return for around a month later.
David Loughton, chief executive of the Trust, has since signed an undertaking to ensure the necessary training for staff to follow data protection and records management procedures. The hospital will also ensure that a record is kept of patient charts being released to consultants, and that they are chased for return on a weekly basis.
The ICO has previously revealed that the NHS is the worst culprit for data breaches.