Two recent ICO fines totalling over £200,000 have shown that, even when an organisation does not immediately appear at fault, they can be held liable if they haven’t taken steps to prevent a risk to personal data.
The larger fine of £155,000 was issued to Greater Manchester Police (GMP), who sent DVDs of interviews with the victims of violent or sexual crime to the National Crime Agency. The DVDs were sent by recorded delivery but went missing in the post and hadn’t been recovered. Although this would appear to be an error by Royal Mail, the ICO determined that GMP had failed to take steps to cover accidental loss as the discs were unencrypted, contravening the seventh data protection principle (which requires appropriate technical and organisational security measures to be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction or damage to personal data).
A £55,000 fine was issued to Construction Materials Online (CMO), whose website allowed customers to make online purchases with their debit card. A third party had developed the website but had made an error in the website coding, leaving the site vulnerable to hacking. This lead to 669 unencrypted cardholder details being accessed. Again, the ICO found that CMO had not taken appropriate measures to prevent unlawful processing of personal data.
Organisations should remember that their data protection duty goes beyond their own actions. They should also consider and take steps to address the risk of data protection breaches caused by errors by third parties they allow to be responsible for their data.