As a follow-up to a breach previously reported on this site, the Information Commissioner’s Office found that a private housing group breached the Data Protection Act by sending the personal data of 200 employees to the wrong email address.
In March of this year, an employee of Spectrum Housing Group accidentally emailed a non-secure excel spreadsheet containing employees’ data, including details of their pension contributions, to the wrong external email address. The error was discovered 30 minutes after the email had been sent, at which point the unintended recipient was informed and the data destroyed.
The ICO’s investigation found that at the time of the incident Spectrum Housing did not have a sufficient policy in place to help prevent such incidents and has ordered the company to take action.
Acting Head of Enforcement, Sally Anne Poole said:
“While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”
Somewhat disappointingly, the ICO’s press release states, “the organisation will also consider, where appropriate, password protecting or encrypting documents containing personal information.” “Consider?” “Password protecting?” That sounds like a pretty lame commitment. Why hasn’t it committed to using strong protection for documents containing personal information?