From the Information Commissioner’s Office:
Organisations are learning the hard way of the consequences of mishandling people’s information – and others need to heed the lessons the Information Commissioner, Christopher Graham, warned today at the launch of the ICO’s 2011/12 annual report.
The Commissioner’s comments came as the ICO imposed a civil monetary penalty (CMP) of £150,000 on the consumer lender, Welcome Financial Services Limited (WFSL), after the loss of more than half a million customers’ details.
Information Commissioner, Christopher Graham, said:
“Over the past year the ICO has bared its teeth and has taken effective action to punish organisations many of which have shown a cavalier attitude to looking after people’s personal information.
“This year we have seen some truly shocking examples, with sensitive personal information, including health records and court documents, being lost or misplaced, causing considerable distress to those concerned. This is not acceptable and today’s penalty shows just how much information can be lost if organisations don’t keep people’s details secure.
“We hope these penalties send a clear message to both the public and private sectors that they cannot afford to fail when it comes to handling people’s data correctly.”
Today’s penalty was issued after WFSL’s Shopacheck business lost two back up tapes which contained the names, addresses and telephone numbers of their customers in November last year. The tapes have never been recovered.
This latest penalty means that, since being given the power to issue CMPs from 6 April 2010, the ICO has issued 21 penalty notices, bringing the total value of the penalties issued by the ICO to over £2 million.
“It’s a case of ‘wake up and smell the CMP,” the Commissioner said.
While figures from today’s annual report show a 0.3% drop in the number of data protection complaints received by the ICO – with 12,985 complaints made last year – the report highlights the public’s growing concerns about unsolicited marketing calls and texts.
During the last financial year the ICO saw a 43% rise in the number of complaints under the Privacy and Electronic Communication Regulations (PECR) – which govern electronic marketing – with 7,095 complaints received.
Commenting on these latest figures, the Information Commissioner said:
“Last year the ICO gained tough new powers to tackle unsolicited marketing calls and texts, including the power to impose a penalty of up to £500,000 on the worst offenders.
“We have now set up a dedicated team to enforce the Privacy and Electronic Communication Regulations and we are currently working to identify the operators responsible. The ICO has executed search warrants at a number of sites across the UK linked to companies we believe are breaking the law.
“We have also set up an online reporting mechanism on our website that allows people to report any marketing texts or calls from unidentified senders. We have received over 12,000 reports to date and we are confident that this work will help us identify those responsible.”
The ICO has also witnessed a 7% rise in the number of Freedom of Information complaints, with 4,633 complaints received during 2011/12. Despite this increase in the ICO’s workload and despite cuts in government grant-in-aid, the ICO has reduced by 66% the number of FOI cases that have been with the office for longer than 6 months. The number of data protection cases taking over six months to complete has also fallen by 82%.
“Our work resolving freedom of information requests has also increased. As budgets tighten and public spending comes under even greater scrutiny, public authorities must remain transparent and accountable if they are to retain the trust of the public they serve,” the Commissioner said.
Meanwhile, figures from today’s annual report show a 60% increase in the number of audits carried out by the ICO Good Practice team. Of the 42 organisations audited, 90% felt that the process raised awareness of the importance of data protection in their organisations, showing that that the ICO’s audits are bringing real information rights benefits to those that take part.
The ICO is extending its audits to cover public authorities’ compliance with the Freedom of Information Act and has also introduced advisory visits to help small and medium sized organisations.
The penalty provides some greater detail on the incident with respect to types of information involved:
So… is this the first we’re hearing of this breach in the media? When were those affected notified?