Be exact when you redact - data protection compliance lessons learned from TSol breaches

Be exact when you redact - data protection compliance lessons learned from TSol breaches

The Information Commissioner’s Office (ICO) has taken enforcement action in response to another public sector data breach, this time involving the Treasury Solicitor’s Department (TSol).  Between 2011 and November 2012, the Department incorrectly disclosed information of individuals to third parties on four separate occasions.  Katherine Eyres reflects on whether there are any lessons to be learned.

[caption id="attachment_5171" align="alignright" width="300"] © 2011[/caption]

How did the breaches happen?

The ICO was prompted to take enforcement action against TSol following a series of data breaches between 2011 and 2012 involving sensitive personal data in contravention of the Data Protection Act 1998 (DPA 1998).

TSol is the main provider of legal services to central government.

In three of the incidents, case files relating to various litigation cases containing personal information of third parties were sent to the claimant’s solicitors and then on to the claimant.

One other incident involved information about an unfair dismissal case being sent to the wrong person—the bundle of case papers contained the personal data of an individual involved in a separate claim.

The data concerned was ‘sensitive personal data’ (as defined in DPA 1998, s 2), as it related to ‘proceedings for an offence committed or alleged to have been committed by’ the affected data subjects.

What should have happened?

The ICO found TSol’s data handling processes fell short in relation to its procedure for preparing documents for disclosure.

What should have happened, in the first three incidents, was that the third party details should have been redacted before the case files were sent to the other side.

In the fourth incident, the recipient address details should have been carefully checked to ensure the case papers were disclosed only to the intended recipient.

The ICO insinuated that, as a legal function, TSol should have known better. ICO head of enforcement Stephan Eckersley said:

‘The nature of the work carried out by the Treasury Solicitor’s Department means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.’ 

What has TSol undertaken to do differently in future?

The undertakings given by TSol aim to address these areas, by reiterating TSol’s obligations to ensure personal data is processed in accordance with the Seventh Data Protection Principle and, specifically that:

(1)           a clear, documented procedure for staff to follow when preparing information for disclosure is implemented within 6

Subscription Form

Already a subscriber? Login
RELX (UK) Limited, trading as LexisNexis, and our LexisNexis Legal & Professional group companies will contact you to confirm your email address. You can manage your communication preferences via our Preference Centre. You can learn more about how we handle your personal data and your rights by reviewing our  Privacy Policy.

Related Articles:
Latest Articles:

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login