UPS Ltd Subject of UK Data Security Enforcement

Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.

This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.

Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.

By this time, UPS Ltd had endeavored to remedy the breaches and could therefore submit evidence of improvements it had made, to the ICO. Helpfully, in reaching its decision, the ICO noted such remedial steps as:

• encryption for all UK and European UPS laptops and Smart phone devices and

• updating the security policy to include encryption for removable media

The ICO also recognized UPS Ltd’s understanding of the seriousness of the event and its efforts to comply with the DPA. Rather than issuing an Enforcement Notice, UPS Ltd were able to sign an undertaking to comply with the DPA and put in place these promises within 6 months.

This case demonstrates that although mistakes happen, there are ways to limit the exposure and organizations in breach of the DPA should act purposefully to rectify the damage as soon as possible.

Authored by the HL Chronicle of Data Protection Team