02 November 2012

Breaches

The UK Information Commissioner has imposed a Civil Monetary Penalty of £150,000 on the Greater Manchester Police.

The Commissioner indicates that
ICO investigation into a data breach at Greater Manchester Police has concluded with the force being fined for failing to take appropriate measures against the loss of personal data. 
The action was prompted by the theft of a memory stick containing sensitive personal data from an officer’s home. The device, which had no password protection, contained details of more than a thousand people with links to serious crime investigations. 
The ICO found that a number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office. Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection. 
The findings prompted the Information Commissioner to use his powers under the Data Protection Act to impose a Civil Monetary Penalty of £150,000. Greater Manchester Police paid that penalty yesterday, taking advantage of a 20 per cent early payment discount (£120,000).
The Commissioner has elsewhere reported that social care charity Norwood Ravenswood has been smacked with a £70,000 penalty "after highly sensitive information about the care of four young children was lost after being left outside a London home".
 A social worker, who worked for Norwood Ravenswood Ltd, left the detailed reports at the side of the house on 5 December 2011 after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered. 
The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.
The reports provide a useful perspective in considering current Australian proposals regarding data breach regulation.