Breach details
| What | Loss of sensitive personal information (Union membership). |
| How much | About 19,000 records. |
| When | 08 Dec 2011 |
| Why | Two files containing member data were sent as part of a tendering process to an unknown email address in error. The files were encrypted but the password was also sent seperately to the same address. |
BW Comments
| This breach illustrates two issues that all Data Controllers need to be aware of. The first is that test data should always be anonymised, not only does it increase the risk of breaching the seventh principle, but it will also breach the first and second principles; although interestingly the ICO only took action in respect of the seventh principle. Secondly, any encryption is only as good as the key (password) management – passwords should always be sent at a minimum by a separate channel. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle |
| When | 16 Jan 2013 |
| Details | The data controller to ensure that adequate policies are in place to cover transfer of data to third parties, that such data is minimised and anonymised, that all staff receive data protection training, and that appropriate security measures are in place to protect personal data. |
BW Observations
| Although this was a sizeable breach of some 19,000 records of sensitive personal data, the ICO obviously decided that an undertaking was more appropriate given the potential harm that could result. |
Links
| View PDF of the Prospect Undertaking (Breach Watch Archive) |
| View PDF of the Prospect Undertaking (Via ICO Website) |
Follow Up
| The ICO conducted a follow up assessment on 15 May 2013 |
| View PDF of the Leeds City Council Undertaking Follow Up (Breach Watch Archive) |
| View PDF of the Leeds City Council Undertaking Follow Up (Via ICO Website) |