Data Protection Compliance – more than just having a policy
The Information Commissioner’s Office (ICO) has recently imposed a fine of £150,000 on a company for failing to implement adequate security measures to protect personal information. This case demonstrates for all businesses dealing with personal information (whether of customers, employees, suppliers etc.) that data protection compliance is much more than just having a data protection policy in place.
This case concerned Think W3 Limited, an online travel services company. The ICO found that “insecure coding” enabled a hacker to access the customer database of Think W3’s subsidiary Essential Travel Limited. The hacker extracted over 1.1 million credit and debit card records and accessed customer names, addresses, telephone numbers and email addresses. The ICO found a catalogue of failings by Think W3, including the following, resulting in a “serious contravention of the Seventh Data Protection Principle” of the Data Protection Act 1998 (DPA):
- a failure to review or delete any of its customer data from its servers since 2006;
- a failure to carry out any penetration and vulnerability testing of the Essential Travel website; and
- a failure to check and maintain the security of the website coding after initial implementation.
Businesses are reminded that in order to comply with the obligations under the Data Protection Act, they must:
- only collect personal information that they need for a specific purpose;
- ensure that they have the right to collect and process that personal information;
- keep the personal information secure by implementing appropriate technical and organisational measures and regularly review and test those measures;
- ensure the personal information is relevant and up to date;
- only hold as much personal information as they need, and only for as long as they need it; and
- allow the subject of the information to see it on request.