Global Data & Privacy Update - February 2017

Welcome to the February Global Data & Privacy Update. This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.

ICO fines RSA for data protection breach

The ICO has issued a penalty of £150,000 to Royal & Sun Alliance Insurance PLC (RSA) for failing to prevent the accidental loss or damage to personal data, breaching the seventh data protection principle.

It was found that between 18 May and 30 July 2015, a person permitted access to RSA's data server room stole a portable 'Network Attached Storage' device, which included the names, bank account details and sort codes of nearly 60,000 individuals. The device was password protected but unencrypted, and there has been no recovery since the theft. The lack of encryption and the failure to properly restrict access to the server room were highlighted by the ICO as particular reasons why it found there had been a breach of the seventh data protection principle in this case.

The ICO found that the contravention was one likely to cause substantial damage or substantial distress to those affected.

Click here to view the ICO's monetary penalty notice.

ICO fines charities for mishandling donors' personal data

The ICO has fined the RSPCA and British Heart Foundation £25,000 and £18,000 respectively for screening their donors to target them for further fundraising. This was held to be handling personal data in a way inconsistent with the data protection rules. Since the judgment, the Charities Commission has also opened up its own investigations into the charities' regulatory compliance and duties under charity law.

Actions taken by the charities included forming a scheme 'Reciprocate' under which personal details of donors were traded with other charities to create a pool of donor data, without the informed knowledge or consent of the donors whose data were included in the pool.

The ICO exercised its discretion in significantly reducing the fines to the charities, so as not to create any further stress to the donors as a result of the charities' actions through higher penalties that may be seen by the donors as being funded by their donations. Under normal circumstances, the fines could have been ten times the figure.

Click here to view the ICO's report of its investigation into the charities' conduct.

European Council backs EU-US Umbrella...