UK: Action taken after details of 110,000 individuals are stolen
The Information Commissioner’s Office (ICO) has found Verity Trustees Ltd to be in breach of the Data Protection Act after the Trustees reported the theft of a laptop computer containing the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals.
The laptop, which also contained the bank details of around 18,000 individuals, was stolen from a locked server room at Northgate Arinso – suppliers of the Trustees’ computerised pensions administration system. The data was downloaded for training purposes in breach of Northgate Arinso’s policy of only using an anonymised data sample for 50 to 100 pension scheme members.
A formal Undertaking has been signed by Verity Trustees Ltd to ensure that personal data is processed in accordance with the Data Protection Act. Verity Trustees Ltd will ensure portable and mobile devices used to store and transmit personal data are suitably encrypted. Adequate written contracts that encompass data security obligations will also be put in place with data processors as soon as is practically possible.
Mick Gorrill, Assistant Information Commissioner at the ICO, said: “This is a stark reminder of how easy it can be to put so many people’s details at risk. Failure to follow security policies and downloading such a vast amount of information has resulted in thousands of individuals’ personal details being compromised. It is encouraging to see that the Trustees have taken remedial steps, including the engagement of a fraud protection service provider to protect the affected individuals.
I am also satisfied that the Trustees will now take appropriate steps to ensure individuals’ details are protected.”
Failure to meet the terms of the Undertaking is likely to lead to enforcement action by the ICO. A copy of the Undertaking can be downloaded from http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx