The Information Commissioner's Office (ICO) has announced that Co-operative Life Planning has breached the Data Protection Act.
The breach occurred in March 2011 when the details of 82,000 people were accidentally published online when a data file, that had been repaired by Co-operative Life Planning's software support contractor, was hacked.
The file, which was stored on the contractor's server, contained personal data relating to tens of thousands of customers who had previously paid into funeral insurance policies, including names, date of births, addresses and insurance contributions.
On being informed of the breach, Co-operative Life Planning ensured that the data was securely deleted by the software services provider and also made sure that the information was no longer available online.
Ian Mackie, managing director of Co-operative Life Planning, has signed an undertaking to ensure that the data loss prevention software already tested by the group will be introduced across all the company's servers. The organisation will also carry out testing of all future databases which are subject to maintenance to ensure that the data remains secure.
Co-operative Life Planning supplied the ICO with a report about the incident on 8th March, and its investigation found that the software support services provider had no authorisation to copy the data from the organisation's servers and failed to delete the information once the file had been repaired. Co-operative Life Planning also failed to realise that the data had been transferred on two separate occasions and were unaware that customers' details had been made available online.
Sally-Anne Poole, acting head of enforcement at the ICO, said: “This case highlights the need for companies to ensure their contractors are following procedures on keeping customers' personal information secure. Co-operative Life Planning's customers had an expectation that the organisation would keep their details safe and they have been let down by this breach.
“The ICO takes breaches of the law extremely seriously and always seeks to take the most appropriate level of enforcement action. In this case, a monetary penalty was not appropriate because the information that was compromised was unlikely to cause substantial damage or distress and its disclosure didn't present a significant risk to the individuals affected.
“Co-operative Life Planning also had appropriate policies already in place around protecting personal information stored on their servers. Our focus has therefore been to make sure the organisation commits to making improvements to stop this from happening again and we are pleased that they are being put in place.”