Well, it’s been said that ‘a week is a long time in politics’, but the same is now true in information security …
We seem to have an almost daily update on a large corporation somewhere either losing information or being fined. Where previously information security never hit the headlines, it is difficult not to open the IT pages and find something. Whether it be the ICO fining an organisation (Facebook) the maximum fine under the 1998 Data Protection Act, or news that beleaguered British Airways as they discovered another data breach while investigating a breach that occured earlier this year.
A slightly different news story which hit the front pages recently was with employees who were impacted by a data theft at Morrisons Supermarkets. They won the next challenge in a class action against their employer. This story started back in 2014 when a disgruntled employee posted employee payroll records online. Whilst that employee was successfully prosecuted and is currently serving an 8 year prison sentence, Morrisons is being sued by more than 5500 employees for stress, worry and concern caused. Morrisons lost this round and are now appealing to the Supreme Court.
This case is important in a number of ways. It’s the first, class action against a large organisation and if Morrisons lose, it is expected to cost them millions of pounds in compensation, setting the bar for what individuals can expect. It’s a case therefore that a number of organisations will be avidly watching.
Closer to home, I recently received a letter from a large financial institution confirming what I had long since suspected. They had lost my personal data (passport, address, DoB, NI number, signature etc.) for the second time in 15 months. Aside from the nature of the data (everything that could be required for ID fraud), I’ve been more than a little irritated by the seemingly ‘couldn’t care less’ attitude of the organisation.
And that’s the problem. Attitude. There’s been no acknowledgement that this is information that can’t be changed, recreated or reset. That the photocopy of the passport and the completed forms have value. We can write to the Passport Office and ask for a new passport to be issued, but all at cost and inconvenience to us. And even then, there’s no stopping someone with criminal intent from taking that information and opening a bank account, or applying for a credit card, or a loan.
So, I thought that I’d put my Data Protection Officer energy and skills to good use. Instead of helping organisations reply to subject access requests, I’d submit my own. I want to know how the information was lost, was it reported to the ICO, when did they know it was missing, who the information may have been shared with … and ultimately, does anyone care?
I’ll keep you updated as the SAR progresses over the next few weeks, but if you have any data protection queries, or if you happen to find some paperwork in the Leamington area with my passport details etc., then do give us a call.
