When Salford Magistrates Court was closed down at the end of 2011, an IT contractor was engaged to decommision the court's IT systems. During this process, a server containing over 400,000 confidential court files was stolen from the court and the theft was only discovered when the server turned up for sale on eBay! What are the data protection lessons?
In this case, the stolen server contained court documents and e-mails relating to various criminal cases with personal data relating to victims and witnesses. The theft of the server was only discovered in May 2012 when it was seen advertised for sale on eBay. The matter is currently being investigated by the ICO.
As we've previously blogged, disposal of IT equipment is deemed to be 'processing' for the purposes of the DPA and it is essential that when IT equipment containing personal data is being disposed of, it takes steps to comply with its obligations under the 7th principle of the DPA, particularly when appointing a third party to dispose of the equipment, including:
- Ensuring that appropriate security measures are in place.
- Undertaking due diligence on the supplier.
- Putting a contract in place which clearly sets out the service provider's obligations.
- Taking practical steps to verify that the service provider does what it says it would do in response to your due diligence questions and the agreed contractual obligations - simply putting a contract in place without any further steps won't be enough to comply with the DPA or to satisfy the ICO if a security breach occurs.
The wider issues that this and the other recent cases raise, are:
- Large volumes of potentially sensitive personal data may be stored on unwanted IT equipment (but the data controller still has obligations to deal with the data held on that equipment in compliance with the DPA).
- Data controllers are failing to ensure that appropriate steps/assessments are being taken to assess what data is held on the equipment before the equipment is entrusted to a third party.
- The processes which data controllers employ to securely destroy data before equipment leaves their control or which are employed where third parties are entrusted to securely dispose of data are inadequate (and don't comply with the 7th principle of the DPA).
The key issue for organisations to remember when they entrust the disposal of IT equipment to third parties is that they remain responsible/liable for breaches of the DPA, even if they're caused by their third party service provider (in each of these cases, the disposal of IT equipment was entrusted to a third party specialist provider of such services - these cases demonstrate that taking this at face value isn't enough). Due diligence, contracts and ongoing audits/verification that the service provider is doing what it should be doing are all essential.
The ICO has produced guidance on the disposal of unwanted IT equipment and in the event of a security breach arising, it's very helpful to be able to demonstrate that your organisation has followed the ICO's best practice guidance.