The Information Commissioner was given the power to issue civil monetary penalties for serious breaches of the data protection principles in 2011. The vast majority of monetary penalties which have been issued by the ICO have been for breaches of the 7th principle of the Data Protection Act 1998 (also known as the security principle).
During 2018 the ICO issued 15 monetary penalties for breaches of the 7th data protection principle. The 8 main problem areas for 2018 were as follows:
- Poor software patching and penetration testing.
- Use of pivot tables in Spreadsheets.
- Monitoring systems.
- SQL injection attacks.
- Email failings.
- Portable media containing sensitive information not encrypted.
- Paper Files.
- Staff training.
2 Cyber Security.
Cyber security is now one of the ICO priority areas for 2019 and beyond. The ICO has recently recruited some very senior staff for their new Technology Department. There is a great deal of guidance on the ICO website regarding Cyber Security. Of the fifteen monetary penalties issued during 2018 eleven involved failures of technology. Again some organisations made some basic mistakes which could have been avoided.
For example Car Phone Warehouse was fined £400,000 after a hacker successfully accessed numerous databases within the CPW systems. Some of the databases accessed contained large quantities of customer personal data. The ICO said that CPW’s approach to software patching was ‘seriously inadequate.’
Software patching and penetration testing are now key elements of any security regime. Where there is a security breach and the ICO discovers unpatched servers and out of date software a monetary penalty is likely to follow.
Last year the ICO also fined organisations for poor use of pivot tables and failing to accurately monitor their systems especially where large amounts of information are being transferred.
Once again an organisation was fined after suffering a security breach which was facilitated by a SQL injection. SQL injection is a common and well understood security vulnerability. In 2014 the ICO issued guidance about protecting personal information online which included a section on SQL injection. Attacks using SQL injection will always be viewed as serious by the ICO because such attacks should be prevented.
Equifax and Facebook (Ireland) were both fined the maximum penalty of £500,000 for personal data breaches. The ICO criticised Equifax for not encrypting all the personal data held on its system and for not adequately protecting user passwords ( some were stored in plain text) and for not having fully up to date software. Facebook was criticised for allowing third party apps to collect personal data of Facebook users and their friends.
Every year the ICO takes some form of regulatory action following the inappropriate use of email. This is also an area where great care needs to be taken if sensitive or special category personal information is emailed to third parties. It is very important that this is covered in an organisation’s data protection training.
Last year Gloucestershire Police was fined £64,000 and the Independent Inquiry into Child Abuse was fined £200,000 after careless use of emails involving sensitive personal information.
4 Portable Media device not encrypted.
Since 2007 the ICO has said that portable media devices (PMD) containing personal information must be encrypted. Unencrypted portable media devices containing sensitive personal information which is lost stolen or misplaced will always lead to a monetary penalty.
Three organisations were fined significant amounts for failing to encrypt portable media which was subsequently lost or misplaced:
Humberside Police £130,000; the Crown Prosecution Service fined £325,000 and Heathrow Airport £120,000.
5 Paper Files.
Every year paper files containing sensitive personal information which are lost, stolen or otherwise poorly safeguarded come to the attention of the ICO. The data protection principles apply personal information contained in paper files as well as those digitally held. Again all staff should be aware of the importance of keeping paper files secure especially where they contain sensitive personal information.
Last year Bayswater Medical Centre was fined £35,000 for leaving paper files containing sensitive personal data at a discussed medical centre.