The Information Commissioner's Office (ICO) has made a civil monetary penalty order of £120,000 against Heathrow Airport Ltd after a lost USB stick containing the sensitive personal information of a number of employees was found by a member of the public.
The finder took the USB stick, which was unencrypted, to a public library to view the contents before passing it to a national newspaper. Although there were 76 folders and over 1,000 files on the stick, the personal and sensitive personal data comprised a small amount of the total material. Unfortunately for Heathrow, this material included a training video which exposed the details of 10 employees (including names, dates of birth and passport numbers) and up to 50 Heathrow aviation security personnel.
While the use of unencrypted, removable storage media was a direct breach of Heathrow's data protection policy, the ICO's investigation found that only 2% of the Heathrow workforce had undertaken data protection training. Moreover, no digital safeguards were in place to prevent the use of unauthorised storage media.
Heathrow has since undertaken various actions to contain the incident, including engaging a third-party specialist to monitor the Internet and dark web for any use of the leaked data. It may be comforting to the company that the breach occurred before the Data Protection Act 2018 came into force. As such, the ICO's enforcement powers under the previous 1998 legislation were limited to a civil penalty of up to £500,000. If a breach of this nature were to occur under the EU General Data Protection Regulation and the 2018 act, the company would be liable to a fine of up to 4% of global turnover or €20 million, whichever is the greater.
When considering how to guard against such data losses, employers should evaluate whether it is necessary to allow employees to use removable storage media, considering how easily an item the size of a thumb drive may be misplaced. If the employer decides to permit the use of storage media, then effective IT systems should be in place to prevent the use of unencrypted media.
Employers should also ensure that employees are fully informed of the applicable data protection policies and given relevant and adequate training. In an increasingly digitised world, data breaches will occur – either through accident or the actions of malicious parties. However, in the event that the worst happens, employers may gain credit from the regulator if they can demonstrate that preventative measures have been taken and that there are records of appropriate employee instruction and training.
For further information on this topic please contact Sean Illing or Rebecca Emery at Lewis Silkin by telephone (+44 20 7074 8000?) or email ([email protected] or [email protected]). The Lewis Silkin website can be accessed at www.lewissilkin.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
