Information Commissioner's Office
Printable version E-mail this to a friend

Treasury Solicitor’s Department to improve data protection practices after redaction errors

The Treasury Solicitor’s Department has agreed to improve its data protection practices after an investigation into four breaches of the Data Protection Act by the Information Commissioner’s Office (ICO).

Between August 2011 and November 2012 the department incorrectly disclosed the personal information of individuals to third parties on four separate occasions. The organisation provides legal services to the majority of central government departments.

In three of the cases, papers relating to various litigation cases were sent out to the claimants’ solicitors, while still containing the personal information of third parties that should have been redacted. In the fourth case, a bundle of case papers relating to an unfair dismissal case were sent to a complainant, but contained the personal data of an individual pursuing a separate claim.

The ICO has issued an undertaking (pdf) that requires the Treasury Solicitor’s Department to improve its processes when redacting documents. This includes providing staff with a clear documented procedure to follow when preparing information for disclosure and providing a mandatory and comprehensive training programme for all new and existing staff. These measures must be put in place within six months.

ICO Head of Enforcement, Stephen Eckersley, said:

“Data security is only as good as the weakest link in the chain. In this case, the Treasury Solicitor’s Department provided guidance to staff on how to prepare documents for disclosure, but there were clear gaps in the information provided and it wasn’t understood by their staff. This led to a series of data breaches over a 16 month period that could easily have been avoided.

“The nature of the work carried out by the Treasury Solicitor’s Department means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.”

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.org.uk.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
 
3. The ICO is on
Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
 
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

Free, Secure, Compliant UK Public Sector IT Recycling Service