Breach details
| What | Personal data and sensitive personal data included in CVs. |
| How much | 7,435 records. |
| When | 11 April 2012. |
| Why | CV documents were being stored unprotected on the website www.janetpage.com, in an area that was intended to be a secure portal for prospective employers. However, any member of the public could access and download these documents which included information about candidates’ ethnicity, religion, and sexuality. |
BW Comments
| A reminder that unless you work very hard, documents on a website are very easily accessible. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle. |
| When | 16 July 2013. |
| Details | The company shall implement and monitor technical security measures on its website to protect personal data. This data should only be collected when necessary. Staff should also receive data protection training. |
BW Observations
| Given the background to the ACS Law MPN it is perhaps surprising that an obviously poorly-configured and amateur website containing (sensitive) personal data didn’t receive more than an undertaking from the commissioner. However as a jobseeker typically wants their CV circulated as widely as possible it would be hard for the ICO to establish that the breach of CVs from such a site was likely to cause the Data Subjects damage or distress. |
Links
| View PDF of the Janet Thomas Undertaking (Breach Watch Archive) |
| View PDF of the Janet Thomas Undertaking (Via ICO Website) |