On 10 January 2017, the Information Commissioner (ICO) issued Royal & Sun Alliance Insurance PLC (RSA) with a £150,000 penalty for a serious breach of the Seventh Data Protection Principle.  This is one of the largest penalties issued by the ICO to date, the largest being the penalty issued to Talk Talk of £400,000 in October 2016 (the maximum possible penalty is £500,000).

Schedule 1 of the Data Protection Act 1998 defines the seventh data protection principle as:

“appropriate technical and organisational measures…taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

What went wrong?

In RSA’s case, it was found that either a member of staff or contractor at RSA had taken a “Network Attached Storage” device offline and stolen it and then was permitted to access the data server room at RSA’s premises. The device was password protected but not encrypted and has not yet been recovered.
It was reported that the device held personal data containing 59,592 names, addresses, bank accounts and sort code numbers and 20,000 names, addresses and credit card primary account numbers.  It did not hold expiry dates or CVV numbers. It transpired during the investigation that 40 RSA staff and contractors had been permitted by RSA to access the data server room unsupervised.

The ICO found there had been a serious breach of the seventh principle by RSA and the breach was of a kind likely to cause “substantial damage or substantial distress”.  RSA had failed to take appropriate technical and organisational measures against the unauthorised or unlawful processing of the personal data.

The findings were made by the ICO on the balance of probabilities.  The ICO found that RSA did not have in place appropriate technical or organisational measures to ensure such an incident did not occur i.e. that such a device would not be stolen by a member of staff or contractor.  The ICO in its decision noted absent measures including the RSA’s failure to:

The ICO deemed this a “serious” breach due to the number of individuals affected, the nature of the personal data and the potential consequences of the breach.  The ICO considered the resources available to RSA (both in terms of staffing and financial resources) and determined that RSA ought reasonably to have known that there was a risk that such an incident would occur and have applied measures to prevent this.
The ICO also considered mitigating factors in determining the penalty, including:

What do businesses need to do to avoid such a contravention of the seventh principle?

Businesses are urged to consider the eventualities of personal data being misplaced or stolen including that held on portable devices.  With the impending implementation of the General Data Protection Directive next year, businesses will be required to undertake impact risk assessments.  Active measures must also be taken which are proportionate to the resources available to the organisation i.e. the larger a business in terms of staff and finances, the more measures the ICO would expect you to take.

Personal data should be protected with a password and also encrypted where applicable and appropriate.  Access to personal data should be restricted to personnel with a need to know or as part of their duties and personnel should be supervised when accessing the personal data where appropriate.  We recommend regular reviews are carried out in relation to any devices containing data and also a review of whether the measures in place are relevant and adhered to. All such reviews should be clearly documented.

On discovery of a breach, the steps a business has taken are also key potential mitigating factors i.e. in informing customers in a prompt way and further preventing any breach. We recommend seeking professional legal advice.

You can find the full ICO decision here.

For further information on data security and putting in place technical and organisational measures please contact me.