The Information Commissioner’s Office (“ICO”) has made a civil monetary penalty order for the sum of £120,000 against Heathrow Airport Ltd (“HAL”) after a lost data stick containing the sensitive personal information of a number of staff members was found by a member of the public.

The finder took the data stick, which was unencrypted, to a public library to view the contents before passing it to a national newspaper. Although there were 76 folders and over 1,000 files on the stick, the personal and sensitive personal data comprised a small amount of the total material. It was particularly unfortunate for HAL, however, that this included a training video which exposed ten individuals’ details (including names, dates of birth, and passport numbers), and the details of up to 50 HAL aviation security personnel.

While the use of unencrypted, removable storage media was a direct breach of HAL’s data protection policy, the ICO’s announcement states its investigation found that only 2% of the HAL workforce had undertaken data protection training. Moreover, there were no digital safeguards in place to prevent the use of unauthorised storage media.

HAL has since undertaken various actions to contain the incident, including engaging a third-party specialist to monitor the internet and “dark web” for any use of the leaked data. It may be of some comfort to HAL that this breach occurred before the new Data Protection Act 2018 came into force. As such the ICO’s enforcement powers under the previous 1998 legislation were limited to a civil penalty of up to £500,000. Were a breach of this nature to occur under the regime of the General Data Protection Regulation and the 2018 Act, the company would potentially be liable to a fine of up to 4% of global turnover or €20 million, whichever is the greater.

When considering how to guard against such data losses, employers should evaluate whether it is actually necessary to allow staff to use removable storage media at all, considering how easily an item the size of a thumb drive may be misplaced. If it is decided to permit the use of storage media, then effective IT systems should be in place to prevent the use of unencrypted media.

Employers should also ensure that staff are fully informed of the applicable data protection policies and given relevant and adequate training. In an increasingly digitised world, data breaches will occur - either through accident or the actions of malicious parties. In the event the worst happens, however, employers may gain credit from the regulator if they can demonstrate that preventative measures have been taken and there are records of appropriate staff instruction and training.

 

Authors