UK Data Protection E-news - June 2010

  1. 1,000 + data breaches reported to the ICO and HMRC discloses personal data again
  2. Data sharing guidance by December
  3. Two NHS trusts sign Undertakings with ICO
  4. EU Commission gives UK two months to grant the ICO more powers

1. 1,000 + data breaches reported to the ICO and HMRC discloses personal data again

As the Information Commissioner’s Office (ICO) announced, at the end of May, 1,000 + reported data breaches, we learned about Her Majesty’s Revenue and Customs’ (HMRC’s) latest blunder in unlawfully disclosing personal data. 50,000 tax credit recipients received personal information about complete strangers. While HMRC is blaming its printer for wrongly preparing the notices, it is highly embarrassing for the organisation that is supposed to fulfil the requirements of the Poynter Review by 25 June 2011.

Speaking about the 1,000 reported data breaches, David Smith, Deputy Commissioner, said: “We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us. Extra vigilance is required so that people’s personal information does not end up in the wrong hands. Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it. The ICO’s Guide to Data Protection and our tips for avoiding wrongful disclosure will help minimise the risks of security breaches occurring. We are keen to work with organisations to prevent breaches happening in the first place and to help ensure that things are put right when they do go wrong.”

Most of the 1,000 + breaches took place within the National Health Service, followed by the private sector. The most common reason for losing personal details was having data or hardware stolen.

Read more about how human errors jeopardise even the best of data security in the next issue of PL&B’s UK Newsletter.

See the ICO’s latest data breach table.

2. Data sharing guidance by December

The ICO is currently preparing a code of practice for data sharing and holding consultation meetings, with a view to launching a public consultation in September 2010. The data sharing review by Richard Thomas and Mark Walport (2008) will be a starting point for the code, and it will address, for example, retention and security of shared information, and access to personal data. It is expected that the final draft will be presented to the Secretary of State for final approval in December 2010.

The principal author of this code, Iain Bourne, Group Manager – Policy Delivery at the ICO, will provide a preview of this initiative by speaking on Wednesday, 7th July on “Partners in crime prevention? Sharing personal data between the public and private sectors” at Privacy Laws & Business’s 23rd Annual International Conference at St. Johns’ College, Cambridge. On Tuesday 6th July, he will speak at the conference on “Personal information online: UK Commissioner’s new code means less confusion and more good practice?” 

3. Two NHS trusts sign Undertakings with ICO

National Health Service (NHS) Stoke-on-Trent and Basingstoke and North Hampshire NHS Foundation Trust have been found in breach of the Data Protection Act, and their chief executives have signed formal Undertakings outlining the measures they will take to comply with the Act.

Mick Gorrill, Head of Enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”

While the ICO now has the power to issue fines in the most serious cases, it says that in these cases it ‘has made full use of the most appropriate regulatory powers’.  

Mick Gorrill, , Head of Enforcement at the ICO is will speak at Privacy Laws & Business’s 23rd Annual International Conference at St. Johns’ College, Cambridge:

  1. on Monday, 5th July, in the employee monitoring and the data loss scenarios
  2. on Wednesday 7th July on Stronger powers: Investigations, Audits and Penalties.

See the latest programme.

4. EU Commission gives UK two months to grant the ICO more powers

The European Commission issued a reasoned opinion on 24 June on the UK’s failures to comply with the EU Data Protection Directive. In particular, the Commission wants to see the UK to give the Information Commissioner stronger audit and enforcement powers.

The Commission says that UK DP law is curtailed in several ways, leaving the standard of protection lower than required under EU rules.

"I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement," said Vice-President Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship.

The Commission says that while a number of issues have been resolved, several remain. The ICO should be able to perform random checks and enforce penalties following the checks. The Commission also points out problems with the courts as they can refuse the right to have personal data rectified or erased. There is also a problem with a restricted right to compensation for damage.

The Information Commissioner, Christopher Graham, Mick Gorrill, Head of Enforcement and Iain Bourne, Group Manager, Policy Delivery, at the ICO will speak at the Privacy Laws & Business 23rd Annual International Conference in Cambridge on 5-7 July. Among the 50+ speakers from 13 countries, Rosemary Jay, Partner, Pinsent Masons, will speak on “How companies and public sector organisations defend themselves against claims for compensation for damages and distress, ” an issue covered in the last paragraph above. There are still a few places available. To see the final programme and to register, please go to or contact us on + 44 (0) 20 88689200.


For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2010