Barrister fined by ICO for data protection breach
A recent ruling by the Information Commissioner’s Office highlights the responsibility of professionals to safeguard client data held on their home computers. Because while work systems are usually well-protected, oversights on non-work systems can put clients’ data at risk. The ICO has just released details of a penalty imposed on a barrister who had created work documents on her home computer but had not encrypted these files.
The case for the prosecution: a lady barrister held sensitive client information on a desktop which was also used by her husband. Although the computer was password protected the files were unencrypted. This ignored the guidance issued in January 2013 by the Bar Council and her Chambers that a computer used by family members or others may in addition require encryption.
The barrister’s husband updated software on the shared desktop and to back up the files temporarily uploaded them to an online directory to back them up. He assumed the documents were safe.
However, the documents were visible to an internet search engine and 15 documents were cached and indexed. Six of the 15 documents contained ‘confidential and highly sensitive’ information relating to clients involved in proceedings. Although the husband immediately removed the files from the online directory and the internet service provider removed the cache the next day, the ICO found that the barrister contravened the provisions of the Data Protection Act.
The contravention was considered to have run from the date of the January 2013 Bar Council guidance to 5 January 2016 when remedial action was taken. The files contained confidential and highly sensitive information relating to between 200 and 250 individuals.
Due to the number of individuals affected and the sensitive nature of the information, the ICO consider the contravention sufficient to cause ‘distress’ to the clients and that there were justifiable concerns that the information would be further disseminated, ‘even though those concerns did not actually materialise’.
The Commissioner considered that, in her defence, she did not intend to contravene the DPA, and her actions were a ‘serious oversight’ rather than deliberate intent to ignore or bypass the DPA, she should have realised that there was a risk. Taking all this into account the Commissioner decided on a penalty of £1,000.
When the new Data Protection Bill and the EU General Data Protection Regulation (GDPR) come into effect in May 2018 the ICO will have the right to impose significantly larger fines. The scale will be much higher than under current legislation. At the moment the theoretical maximum the ICO can impose is £500,000 but under GDPR it will be 20 million Euros. This equates to a 79 times increase. Theoretically, therefore, the barrister could have been fined up to £79,000 if the contravention had occurred next year.
So while organisations are working toward the new compliance, it is important that individuals also realise that the same principles apply to home computers. Security protocols should be clearly outlined in every corporate strategy and be made known to all individuals working remotely.
SRM has operated in the information security environment since 2002 and our consultants are skilled at performing security assessments and managing strategic compliance projects. Our GDPR team is GCHQ trained and works with clients to achieve all types of ongoing compliance.