Solicitor loses confidential papers and causes data breach
8 July 2014
Recently, the Chief Executive of Oxfordshire County Council (the Council) in the UK signed an Undertaking with the Information Commissioner's Office (ICO) in respect of the consequences of a breach of the Data Protection Act 1998 by a solicitor of the Council.
The solicitor had removed a number of documents from the offices of the Council but dropped these in a street near home which were found the next day and handed into the police.
The papers contained sensitive personal data.
The data breach was reported to the ICO whose investigation found that whilst the Council had certain policies in place, these did not address guidance on the security of paper documents for staff working from home on an ad-hoc basis.
Nor was there in place guidance regarding the use of secure and lockable cases for the transportation of documents and nor was there evidence of adequate data protection training.
Whilst the solicitor concerned confirmed that training had taken place, the Council could not evidence the training nor that mandatory data protection training was appropriately monitored.
The Undertaking given by the Council includes not only an acknowledgement of non-compliance with the Data Protection Act but also a lack of suitably monitored training and a lack of adequate security in respect of physical personal data.
The Undertaking specifically indicates that the Council has to put in place an adequate home-working policy, the provision of secure and lockable cases for the transportation of papers, guidance on safe management of physical papers when removed from the office, adequate data protection training and guidance and such other security measures as are deemed necessary.
Whilst this particular enforcement relates to a data breach by a solicitor, the facts and the subsequent undertaking are a lesson from which we could all learn!
This article was written by Robert Bond.
For more information contact Robert on +44 (0)20 7427 6660 or firstname.lastname@example.org