ICO fines Northern Ireland Govt Agency £185,000

The Department of Justice of Northern Ireland has been hit with a £185,000 fine from the ICO after leaking the physical personal information relating to victims of a terrorist incident.

ICO fines Northern Ireland Govt Agency £185,000
ICO fines Northern Ireland Govt Agency £185,000

On this occasion it wasn't a laptop, pen drive or phone, but a filing cabinet that was sold at an auction, emphasising the need to secure confidential information in whatever format it is held, whether physical or electronic, through properly understood security procedures.

The information belonging to Northern Ireland Compensation Agency included data on the victims of a terrorist attack, the injuries they suffered and the amount of compensation offered, as well as private ministerial advice.

The Information Commissioner's Office (ICO) says that there was an expectation within the agency that personal data would be handled securely, yet its investigation found limited instructions to staff on what that principle meant in practice - despite the highly sensitive information the office held.

Commenting on the case, Len Macdonald, the ICO's Assistant Commissioner for Northern Ireland, said: “This is clearly a very serious case. The nature of the information typically held by this organisation made the error all the more concerning."

“The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident,” he added.

Kevin Bailey, a former IDC security analyst and now head of strategy at Clearswift, told SCMagazineUK.com that news of the case drew his interest, as he worked in Northern Ireland during the period the agency's papers relate to.

"This is very embarrassing for the Department of Justice, as there are emotive materials involved," he said, adding that it is clear - from the scale of the fine - that the ICO has found some sensitive information was lost.

Under the current Data Protection Act, he says, the ICO Is limited to a maximum penalty of £250,000, but you do wonder how much greater the fine could be under the new European Privacy Directive rules.

And, he went on say, the political ramifications if the information had leaked out to the general public and the media, could be very severe, as the data clearly relates to the period of Bobby Sands and the hunger strikes in Northern Ireland.

"Let's be clear here. The information refers to compensation paid to civilians involved in the Northern Ireland troubles. This was very sensitive data and it should not have been handled in this way," he added.       

Steve Smith, MD of security consultancy Pentura, was equally scathing. "It's often easy to forget that information in paper files and documents can be just as sensitive, and prone to mishandling, as electronic data. Of course, it's far easier to mislay a memory stick than a filing cabinet, but the consequences could be identical."

“As with the recently-reported theft and misuse of detailed customer records from a closed subsidiary of a high-street bank, this incident shows that all information, irrespective of format, needs to be considered in data security audits. It also needs to covered by policies that govern its access, usage, storage and disposal," he added.

Sign up to our newsletters