Jala Transport Limited

Breach details

What Theft of an unencrypted hard drive containing sensitive personal data, including proofs of address and proofs of identity.
How much 250 records.
When 3 August 2012.
Why A briefcase containing an unencrypted hard drive, some documents and approximately £3,600 in case was stolen from the proprietor’s car when it was stuck in traffic. The external hard drive, as the only copy of the company’s customer database, was taken home each day to prevent theft and was protected by an 11-character password. It has not been recovered.

Regulatory action

Regulator ICO
Action Monetary penalty of £5,000.
When 24 September 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: the company failed to take appropriate measures against the accidental loss or theft of personal data.
Known or should have known The company was used to dealing with large amounts of personal data on a daily basis and had taken some steps to protect it by having it password protected and taking it home overnight. However, the Commissioner’s office published guidance notes in 2007 promising enforcement action against companies suffering thefts of unencrypted data from vehicles, dwellings or inappropriate places. The company should have encrypted the data and transported it in a more secure way, such as in the boot of the car.
Likely to cause damage or distress The disclosure of personal information of the data subjects to unauthorised third parties is likely to cause them substantial distress, particularly as the hard drive has not been recovered. There is also the risk of identity fraud or financial loss.