Who: The UK Information Commissioners Office (the “ICO”) and The Money Shop.
When: 6 August 2015.
Law stated as at: 3 September 2015.
The ICO has issued a fine of £180,000 against The Money Shop following a number of data privacy breaches by the company in failing to keep personal data secure in line with the seventh principle of the Data Protection Act 1998 (the “DPA”). The Money Shop was deemed to have breached its obligation to ensure that “appropriate technical and organisational measures” were taken to prevent against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
One server was stolen from a branch of The Money Shop in Northern Ireland and a second server was lost by a courier firm in Swindon. The ICO found further that the servers, which held both local and national customer details in addition to employee data, did not have sufficient encryption to protect the information from unauthorised access.
ICO says protection measures were not on the money
In addition to the fine, the ICO publicly criticised The Money Shop, outing its inadequate storage of data based on findings from its investigations. For instance, while the company’s policy stated that servers should be stored in separate locked rooms, the ICO determined that many of its branches, including the one in Northern Ireland, did not have rooms that could function in this way.
The Money Shop was also found to have regularly transported unencrypted servers between its head office and regional branches and to have failed to delete customer personal data from the servers when it was no longer required.
The ICO concluded that this breach of the DPA was likely to cause substantial distress or damage, based on the fact that customers would suspect that their data had been unlawfully disclosed to unknown third parties. In addition, there was a substantial risk that the data could be further unlawfully disseminated, something which was exacerbated due to the sheer number of individuals whose data was unlawfully disclosed.
Why this matters:
The ICO stated that, “Hopefully, it’s an example to other organisations, whatever business they may be in, that the safety of personal information must be taken seriously. Policies and procedures must be in place or we will take action.”
This seems to indicate that the ICO are taking a tougher stance in relation to breaches of personal data, especially where there is increased risk that the breach could lead to fraud and financial loss for consumers. Any companies which hold personal data should sit up and take note of the very real threat of ICO sanctions in the event of inadequate protection of personal data.