The ICO has had the power to issue monetary penalty notices of up to £500,000 for serious breaches of the Data Protection Act occuring on or after 6 April 2010, and serious breaches of the Privacy and Electronic Communications Regulations.
66 enforcement notices issued by the ICO for DPA infringements between January 2013 and October 2014.
£2.17M in monetary penalties issued during this period.
Loss of business, brand damage & fines up to £500K can result from a breach of the DPA.
And there's more to come - Fines of up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is greater are being proposed in the new EU General Data Protection Regulations (GDPR).
A hospital trust has been fined £325,000 after computer hard drives containing confidential information on thousands of patients were stolen.
The Information Commissioner's Office (ICO) said the fine, for Brighton and Sussex University Hospitals NHS Trust, was the highest it had ever imposed. Personal data belonging to patients and staff was taken from Brighton General Hospital in September 2010. The trust said it could not afford to pay the fine and would appeal.
Highly sensitive personal data belonging to tens of thousands of people, including some relating to HIV and Genito Urinary Medicine patients, was discovered on hard drives sold on eBay in October and November 2010.
The ICO said the data included details of patients' medical conditions and treatment, disability living allowance forms and children's reports.
It also included staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences.
The data breach occurred when an individual working for the trust's IT service provider, Sussex Health Informatics Service (HIS), was told to destroy approximately 1,000 hard drives at Brighton General Hospital.
A data recovery company bought four hard drives from a seller on eBay, who had purchased them from the individual.
The ICO said the trust was unable to explain how the individual removed at least 252 of the hard drives that were supposed to be destroyed from the hospital. The worker was not believed to have known the key code needed to access the room where the drives were stored, and was usually supervised by staff working for HIS.
The ICO's deputy commissioner David Smith said the fine reflected the gravity and scale of the data breach. "It sets an example for all organisations - both public and private - of the importance of keeping personal information secure," he said. The trust's chief executive, Duncan Selbie, said no sensitive data had entered the public domain.
"We dispute the Information Commissioner's findings, especially that we were reckless, and a requirement for any fine," he said. "We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay. "It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine." See the original article on the BBC website
Smartphone and tablet owners have been warned that performing a factory reset is not enough to permanently remove data from Android devices.
Investigations into Android’s software have found that it is possible to retrieve potentially sensitive information that was previously thought to have been wiped. This hardware flaw has left users of Tesco’s Hudl tablet particularly vulnerable.
There is a known bug the Rockchip processor which allows sensitive information including bank details, pin codes, Wi-Fi keys, and browser cookies to be extracted.
Pen Test Partners Ken Munro performed the investigations on ten (10) tablets he bought second-hand on eBay. Munro was able to retrieve data that had been supposedly deleted during factory resets.
He explained that a ‘factory reset’ often only deletes the index of files present in the device’s memory. Munro recovered the data using software that was available online for free.
This issue is not exclusive to Android users. Computer forensics expert Jonathan Zdziarski has completed research that found deleted information on Apple products is also vulnerable to data recovery.
Zdziarski’s work has since been independently verified by the security firm Stroz Friedberg.
A spokesman for Tesco stated: ‘Customers should always ensure all personal information is removed prior to giving away or selling any mobile device. To guarantee this, customers should use a data wipe program.’