ICO personal undertaking from advocate highlights importance of data protection compliance by individual data controllers

The Office of the Information Commissioner (ICO) has this morning announced a third personal undertaking to be given by an individual. This follows hot on the heels of yesterdays’s announcement in relation to the Oliver Letwin MP “park bins” incident.

Why is this significant?
In many instances, the data controller will be a company, body corporate or other body (for example, a public authority). However, where an individual acts as a sole trader, or trades/carries out processing in an individual capacity (for example, an MP, barrister, or an accountant trading as a sole practioner), that individual will be the data controller.

This means that it is the individual that is responsible for the processing that he carries out (or that his employees or contractors may carry out on his behalf), and therefore that the individual is therefore also personally liable for any breach of data protection laws. Scary stuff.

What happened in the latest case?
The latest undertaking has been given by an advocate (the Scottish equivalent of a barrister), whose unencrypted laptop was stolen from her house whilst she was on holiday in September 2009.

As I noted in my blog on the Oliver Letwin incident, the Data Protection Act requires that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The circumstances surrounding the theft are largely academic (the advocate had tradesmen in the house whilst she was away, but it’s not clear when or how the theft took place). What is important is that the laptop, which contained details of various cases that she was working on, was not encrypted. In particular, not withstanding that the theft took place, the ICO appears to be satisfied with the physical security measures that the advocate had in place. However, the failure to put in place adequate security measures in respect of the latop itself have led to the advocate being required to give a personal undertaking. A breach of an undertaking could lead to a fine, or an enforcement notice and ultimately prosecution.

What does the ICO require in respect of security measures?
It’s worth recounting the key parts of the undertaking in full, to re-emphasis what the ICO expects data controllers to be doing in relation to device encryption and security:

  • Portable and mobile devices including laptops and other portable media used to store and transmit
    personal data, the loss of which could cause damage or distress to individuals, are encrypted by 31 December 2011;
  • If personal data is to be stored overnight, other than securely within the data controller’s place of work, it shall be kept in a secure, locked storage place;
  • The data controller shall subscribe to any information security policies and procedures as and when they are implemented by the Faculty of Advocates or her stable [Scottish equivalent of a set of Chambers], and take all appropriate steps to comply with these at all times;
  • The data controller shall implement such other security measures as she deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I suspect that many individuals who act as data controllers have, to date, generally taken a laxer approach to information security than bodies corporate and public bodies (where information security is a key reputational issue). This undertaking (and yesterday’s undertaking from Oliver Letwin) highlight that there is no difference in the standard that the ICO expects. In instances where individual data controllers are processing personal data (as an advocate, barrister, MP or sole trader will do), it is essential that appropriate steps are taken to ensure that data is kept secure.

0 Responses to “ICO personal undertaking from advocate highlights importance of data protection compliance by individual data controllers”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

November 2011
« Oct   Dec »

%d bloggers like this: