Breach details
| What | A locked filing cabinet containing sensitive personal data relating to claims arising from terrorist incidents in Northern Ireland was sold at auction. |
| How much | Not specified – four-drawer filing cabinet. |
| When | 12 May 2012 |
| Why | In the course of an office move the filing cabinet was sent to auction for disposal. Despite it being locked (and the weight of the cabinet must have indicated that it wasn’t empty) the Data Controller simply ignored the fact that there may have been personal data in the filing cabinet and set it to auction. When the purchaser of the cabinet forced the lock they realised the sensitivity of the information and called the police to take the information away. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 185,000. |
| When | 14 Jan 2014. |
Why the regulator acted
| Breach of act | Breach of the seventh data protection principle. The Commissioner argued that the Data Controller should have had “detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another”. |
| Known or should have known | Given the sensitive political nature of the contents of the cabinet, and the fact that the cabinet was kept locked, the Data Controller should have known that the unauthorised release of the information was likely to case “substantial distress”. |
| Likely to cause damage or distress | The Commissioner states that substantial distress was not actually caused in this case, but argues that had the buyer of the cabinet not contacted the police to remove the data, substantial distress would have occurred. |
Links
| View PDF of the Department of Justice Northern Ireland Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Department of Justice Northern Ireland Monetary Penalty Notice (Via ICO Website) |