ICO finds company to be in breach of the Data Protection Act after laptop containing personal information and banking details is stolen
The Information Commissioner's Office (ICO) has found Verity Trustees Ltd to be in breach of the Data Protection Act after the Trustees reported the theft of a laptop.
The laptop contained the names, addresses, dates of birth, salaries and national insurance numbers of around 110,000 individuals, as well as the bank details of around 18,000 individuals.
It was stolen from a locked server room at Northgate Arinso – suppliers of the Trustees' computerised pensions administration system. The data was downloaded for training purposes in breach of Northgate Arinso's policy of only using an anonymised data sample for 50 to 100 pension scheme members.
Mick Gorrill, assistant Information Commissioner, said: “This is a stark reminder of how easy it can be to put so many people's details at risk. Failure to follow security policies and downloading such a vast amount of information has resulted in thousands of individuals' personal details being compromised.
“It is encouraging to see that the Trustees have taken remedial steps, including the engagement of a fraud protection service provider to protect the affected individuals. I am also satisfied that the Trustees will now take appropriate steps to ensure individuals' details are protected.”
A formal Undertaking has been signed by Verity Trustees to ensure that personal data is processed in accordance with the Data Protection Act. Verity Trustees will ensure portable and mobile devices used to store and transmit personal data are suitably encrypted. Adequate written contracts that encompass data security obligations will also be put in place with data processors as soon as is practically possible.
Chris McIntosh, CEO of Stonewood, said: “The issue here is not that there was a huge amount of important data stored on the laptop; the nature of business today is that we need to move around, and in order to do this we need to carry data. However, it is shocking that a company carrying this type of information was not securing itself against theft and loss.
“The average value of data contained on a laptop is half a million pounds, and this does not take into account broader implications of losing data, including loss of reputation. The real problem is that people never recognise the value of their data until it's been lost or breached, and by that point it's simply too late.
“Individuals and businesses need to reflect on the consequences of their actions if they do not take the necessary and simple steps to protect data. As recommended by the ICO, it is critical that data in all laptops and portable devices is properly encrypted to prevent such situations.”