£185,000 penalty after filing cabinet containing details of terrorist incident sold at auction

12 Feb 2014 12:54 PM

A Government department has been fined after a filing cabinet that contained personal information relating to victims of a terrorist incident was sold at an auction.

The files included in the cabinet contained information about the injuries suffered, family details and the amount of compensation offered, as well as confidential ministerial advice.

After an ICO investigation, a civil monetary penalty of £185,000 was issued to Department of Justice Northern Ireland (DoJ NI) for what was described as a very serious data breach.

The incident occurred when the Compensation Agency Northern Ireland, which falls under the control of DoJ NI, moved offices in February 2012.

Staff did not realise the locked cabinet contained sensitive information, and it was earmarked for auction alongside other unwanted office furniture. It was sold, without a key, to a member of the public in May 2012.

When the buyer forced the lock he found papers dating from the 1970s through to 2005. The buyer immediately contacted the Police Service Northern Ireland who returned the papers to the Compensation Agency.
While there was an expectation within the agency that personal data would be handled securely, the ICO investigation found limited instructions to staff on what this meant in practice, despite the highly sensitive information the office held.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said: “This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning.

“The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”

If you need more information, please contact the ICO press office on
0303 123 9070 or visit the website at:

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. The ICO is on
Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter. Our Press Office page provides more information for journalists.
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection