WIREDGOV

Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples’ personal information which were discovered in a skip earlier this year, the Information Commissioner’s Office (ICO) said recently.

The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June of this year and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.

The breach was reported to the ICO on 3 June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.

The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected.

The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.

Sally Anne Poole, Acting Head of Enforcement said:

“The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case.

“Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”

A further undertaking has also been signed by Central Essex Community Services after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book – which should have been stored in a locked filing cabinet – was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered.

The ICO has ordered the healthcare provider to take action to keep the personal information it uses secure. Staff will be trained on how to follow the organisation’s data protection guidance and compliance with their existing policies will be routinely monitored to make sure they are being followed. 

View a full copy of both undertakings

Read about the audits the ICO has carried out with a range of organisations from across the public and private sector.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes 
• Adequate, relevant and not excessive
• Accurate and up to date 
• Not kept for longer than is necessary 
• Processed in line with your rights 
• Secure 
• Not transferred to other countries without adequate protection 

4. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our For the media page provides more information for journalists.

5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press