Heathrow Airport and Bupa fines re-iterates basic data protection measures businesses should have in place
Whilst the focus data protection wise has rightly been on the General Data Protection Regulation ("GDPR"), the recent monetary penalty notices issued by the Information Commissioner's Office ("ICO") regarding Heathrow Airport and Bupa highlight:
- Routine data protection risks controllers should address
- The consequences if a controller fails to adequately secure personal data it is responsible for.
The ICO's Director of Investigations reminded controllers that "Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them".
Due to the date of the breaches, both matters were dealt with under the Data Protection Act 1998 rather than the GDPR.
Heathrow were fined £120,000 after a member of staff lost an unencrypted memory stick. It included sensitive personal data (including identifying two individuals who were trade union members or chairs), names, dates of birth, passport numbers and expiry, and details of 12-50 Heathrow aviation security personnel.
Only 2% of Heathrow's staff had received data protection training.
Data protection guidance on an outdated intranet site was held insufficient by the ICO.
Bupa were fined £175,000 after a rogue employee downloaded personal information of 547,000 data subjects over an 8 week period, sent bulk data reports to his personal email account and offered such information for sale on the dark web. This was over 36% of the records on Bupa's CRM system, SWAN.
Bupa did not routinely monitor SWAN's activity log. This meant Bupa were unaware the log had a defect which resulted in certain reports not being logged, and other reports being logged inaccurately. Therefore, Bupa was unable to detect unusual activity in SWAN, such as bulk extraction of data.
The Bupa and Heathrow monetary penalty notices remind controllers that:
- All staff should receive data protection and information security training. Personnel who process special categories of data or large volumes of personal data should receive annual updates
- ICT equipment should be port locked down with encrypted memory sticks limited to specific personnel for authorised purposes only. Even if your business processes limited personal data, we recommended this is implemented for confidentiality reasons
- Adequate risk assessments should be undertaken on your databases, particularly those storing large amounts of personal data
- You should maintain oversight of and monitor your activity logs - including data being removed from your systems. Unusual activity should be promptly investigated. In any event, staff should only be entitled to transfer data to secure locations
- You should monitor that your policies, guidance and procedures regarding information security and the use of removable media are enforced. You should act if you become aware staff breach your policies and guidance
- The ICO will view your failure to follow ICO guidance such as "A practical guide to IT security" and "Bring Your Own Device (BYOD)" as an aggravating factor in any personal data breach.
For more information please contact Nathaniel Lane in our Technology & Innovation team.
This article is for general information only and does not, and is not intended to, amount to legal advice and should not be relied upon as such. If you have any questions relating to your particular circumstances, you should seek independent legal advice.