More data protection breaches have been reported by the Data Protection regulator, the ICO.
The Identity and Passport Service (IPS) breached the Data Protection Act by losing the passport renewal applications of 21 individuals, the Information Commissioner’s Office (ICO) said.
The loss occurred in May 2010 at the passport office that was responsible for processing the applications and the ICO was subsequently informed. The missing details included the personal data of both the applicants and their counter-signatories. All of the individuals affected were informed and offered new passports and no complaints have been received. IPS is unaware of any damage having been caused as a result of the loss. Mick Gorrill, Head of Enforcement at the ICO, said: “A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost.
“However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again.”
Sarah Rapson, Chief Executive of the Identity and Passport Service, has signed an undertaking for and on behalf of the Secretary of State for the Home Department – the data controller as defined in section 1(1) of the Data Protection Act. The IPS has agreed to put in place a number of measures including ensuring that staff are aware of policies for the storage and use of personal data and IT security, and that they are trained in how to follow them.
IPS has also agreed that it will carry out and document regular inspections of the security of the methods used for the processing of personal data as well as undertake regular audits, where an appointed data processor carries out certain tasks on its behalf.
Separately the Isle of Anglesey County Council breached the Data Protection Act after sending benefit details to the wrong recipients, the Information Commissioner’s Office (ICO) said.
The ICO was first made aware of the breach in November 2010 when the council reported that a contractor had mistakenly sent letters to the wrong individuals. The letters included financial information about benefit entitlement, income and savings. The ICO’s investigation found that the council had no written contract in place with the service provider to explain how personal data should have been handled in line with the council’s existing policies and procedures. The authority has contacted the individuals who were involved in the mix up and will put in place contracts with all of the organisations who handle personal information on their behalf.
Anne Jones, Assistant Commissioner for Wales at the ICO said: “An individual’s financial information, including details of their savings and benefits claims, is some of their most personal information. Therefore, this data loss would have been worrying and potentially embarrassing for those involved.
“People should be able to trust that organisations will keep their information secure. We are pleased that the council has taken action to rectify the problems uncovered during this incident and that they will also be following the steps the ICO has instructed them to take in order to stop any similar breach.”
Clive McGregor, Executive Leader at Isle of Anglesey County Council, has signed a formal undertaking to ensure that any processing of personal data carried out on behalf of the council is completed under a contract made and evidenced in writing, and that all contractors will only act on instruction from the council. All staff should also be aware of the council’s policy for the storage, use and disclosure or sharing of personal data and receive the necessary training.
