Rely on the most comprehensive, up-to-date legal content designed and curated by lawyers for lawyers
Work faster and smarter to improve your drafting productivity without increasing risk
Accelerate the creation and use of high quality and trusted legal documents and forms
Streamline how you manage your legal business with proven tools and processes
Manage risk and compliance in your organisation to reduce your risk profile
Stay up to date and informed with insights from our trusted experts, news and information sources
Access the best content in the industry, effortlessly — confident that your news is trustworthy and up to date.
With over 30 practice areas, we have all bases covered. Find out how we can help
Our trusted tax intelligence solutions, highly-regarded exam training and education materials help guide and tutor Tax professionals
Regulatory, business information and analytics solutions that help professionals make better decisions
A leading provider of software platforms for professional services firms
In-depth analysis, commentary and practical information to help you protect your business
LexisNexis Blogs shed light on topics affecting the legal profession and the issues you're facing
Legal professionals trust us to help navigate change. Find out how we help ensure they exceed expectations
Lex Chat is a LexisNexis current affairs podcast sharing insights on topics for the legal profession
Discuss the latest legal developments, ask questions, and share best practice with other LexisPSL subscribers
The Information Commissioner’s Office (ICO) has taken enforcement action in response to another public sector data breach, this time involving the Treasury Solicitor’s Department (TSol). Between 2011 and November 2012, the Department incorrectly disclosed information of individuals to third parties on four separate occasions. Katherine Eyres reflects on whether there are any lessons to be learned.
[caption id="attachment_5171" align="alignright" width="300"] © opensource.com 2011[/caption]
How did the breaches happen?
The ICO was prompted to take enforcement action against TSol following a series of data breaches between 2011 and 2012 involving sensitive personal data in contravention of the Data Protection Act 1998 (DPA 1998).
TSol is the main provider of legal services to central government.
In three of the incidents, case files relating to various litigation cases containing personal information of third parties were sent to the claimant’s solicitors and then on to the claimant.
One other incident involved information about an unfair dismissal case being sent to the wrong person—the bundle of case papers contained the personal data of an individual involved in a separate claim.
The data concerned was ‘sensitive personal data’ (as defined in DPA 1998, s 2), as it related to ‘proceedings for an offence committed or alleged to have been committed by’ the affected data subjects.
What should have happened?
The ICO found TSol’s data handling processes fell short in relation to its procedure for preparing documents for disclosure.
What should have happened, in the first three incidents, was that the third party details should have been redacted before the case files were sent to the other side.
In the fourth incident, the recipient address details should have been carefully checked to ensure the case papers were disclosed only to the intended recipient.
The ICO insinuated that, as a legal function, TSol should have known better. ICO head of enforcement Stephan Eckersley said:
‘The nature of the work carried out by the Treasury Solicitor’s Department means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.’
What has TSol undertaken to do differently in future?
The undertakings given by TSol aim to address these areas, by reiterating TSol’s obligations to ensure personal data is processed in accordance with the Seventh Data Protection Principle and, specifically that:
(1) a clear, documented procedure for staff to follow when preparing information for disclosure is implemented within 6
Access this article and thousands of others like it free by subscribing to our blog.
Read full article
Already a subscriber? Login
0330 161 1234