UK Health Service Breaches Data Act When Hard Drives Stolen
Europe, Middle East and Africa
The United Kingdom (UK) Information Commissioner’s Office (ICO) has announced that the Brighton and Sussex University Hospitals National Health Service Trust (the Trust) has received a penalty notice for breaching the Data Protection Act. The breach occurred when an individual employed by the IT Service provider for the Trust sold hard drives containing personal information after being given the responsibility of destroying them. The hard drives contained “highly sensitive personal data belonging to tens of thousands of patients and staff”, including “details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports” as well as “staff details”. ICO deputy commissioner and data protection director David Smith stated that the amount of the penalty imposed “reflects the gravity and scale of the data breach”, adding that in this case “the Trust failed significantly in its duty to its patients, and also to its staff”. The Trust has committed to “providing a secure central store for hard drives and other media, reviewing the process for vetting potential IT suppliers, obtaining the services of a fully accredited ISO 27001 IT waste disposal company, and making progress towards central network access”.
ICO’s media release (1 June 2012)
UK Child Care Service Breaches Act
Europe, Middle East and Africa
The United Kingdom (UK) Information Commissioners Office (ICO) has announced that the Telford and Wrekin Council has breached the Data Protection Act due to two instances of the disclosure of personal information about children, and has received a penalty notice (28 May 2012) for £90,000. In the first instance, a member of staff from Safeguarding Services sent the child’s Social Care Core Assessment to the child’s sibling instead of their mother who lived at the same address. In the second breach, the addresses of foster care placements of children were included in the Placement Information Record which was shown to the mother of the children, who noted the addresses. The ICO announced that the “council has now committed to taking action including providing Safeguarding Services staff with further training and support on data protection and information security as well as on using the Protocol system”. The council is also “introducing formal guidance on checking documents printed off the Protocol system, and making changes to its configuration”.
ICO’s media release (6 June 2012)
Hackers Access LinkedIn and eHarmony Accounts
Out-Law.com reports that LinkedIn and eHarmony have confirmed that 6.5 million and 1.5 million accounts respectively have been compromised by a data security breach. Reportedly, passwords corresponding to members’ accounts were posted on an online forum by hackers. Both companies have reportedly responded by invalidating the passwords of members whose data had been breached, with LinkedIn also installing “enhanced security” features and eHarmony adopting measures such as data encryption. LinkedIn has reportedly also modified its mobile app in response to concerns that it was “transmitting information users had entered on their mobile calendars without those users’ consent”. Sophos security consultant Graham Cluley reportedly said that while email addresses were not released with the passwords, “it is reasonable to assume that such information may be in the hands of the criminals”, and advised those affected who are using the same passwords on other sites to change them.
Out-Law.com: LinkedIn and eHarmony confirm password data breach (7 June 2012)
Reuters: LinkedIn works with FBI on password theft (8 June 2012)
(Source: Out-Law.com, Reuters)
FSS Found in Breach of Privacy Act
Australian Privacy Commissioner Timothy Pilgrim has released First State Super Trustee Corporation Own Motion Investigation Report (June 2012). The investigation found First State Super Trustee Corporation (FSS) in breach of the Privacy Act 1988 No. 119 (Cth) in relation to an October 2011 incident, where “an unauthorised person had accessed the secure member section of the FSS website and downloaded personal information belonging to 568 FSS members”. While FSS did not disclose information to a third party, it failed to take “reasonable steps to protect the personal information held in the member section of its website from unauthorised access”. Mr Pilgrim reiterated the need for businesses to take privacy seriously by testing their systems for privacy vulnerabilities.
Privacy Commissioner’s media release (7 June 2012)
(Source: Australian Privacy Commissioner; Lawlex Legislative Alert & Premium Research)
Car Manufacturer Incorrectly Merged Client Account
The Office of the Privacy Commissioner of Canada (OPCC) has made available its Report of Findings No. 2011-007. This matter concerned a complaint by the customer of a car manufacturing company. The OPCC found that “the complainant’s account was automatically merged with the account of another individual on the database system”. Due to this oversight, it was found that “the car manufacturer clearly held and reported inaccurate information about the complainant”, to a credit reporting bureau which affected the complainants credit rating. The OPCC also stated that the company took an “unreasonable length of time to rectify the error”, leading to “inaccuracies in the complainant’s file for over two years”. The company implemented the OPCC’s recommendations, including introducing a procedure by which its customer databases are periodically verified, reviewing its safeguard procedures with customer service representatives and providing the complainant with a letter of apology. Accordingly, the OPCC found that the complaint was resolved.