ICO levies £185k fine after cabinet sold with info on terrorism victims

February 13, 2014

The ICO has issued one of its highest ever fines for a data protection breach after a filing cabinet belonging to a Government agency and containing details of victims of a terrorist incident was sold at an auction.

The watchdog has issued a £185,000 monetary penalty to the Department of Justice Northern Ireland, which is responsible for the Compensation Agency Northern Ireland.

The breach occurred when the agency moved offices in February 2012. The locked cabinet contained information about the injuries suffered by the victims, family details and the amount of compensation offered. It also held confidential ministerial advice.

Staff at the agency had failed to realise what the cabinet held and sent it off for auction along with 58 other cabinets. It was sold, without keys, to a member of the public in May 2012.

The buyer discovered the papers – which dated from the 1970s to 2005 – when he forced the lock. The papers were returned to the agency after the buyer contacted the Police Service Northern Ireland.

According to the ICO, there had been an expectation at the agency that personal data would be handled securely. However, the watchdog’s investigation also “found limited instructions to staff on what this meant in practice, despite the highly sensitive information the office held”.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said: “This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning.

“The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”

The Department has taken advantage of the early payment discount, bringing the sum paid down to £148,000.

David Ford, Minister of Justice, said: "I, and my Department, take the security of personal data very seriously and accept that this was a breach of the Data Protection Act and should not have happened. We informed the Information Commissioner as soon as we became aware of the breach. The Justice Committee was also subsequently made aware. The Department has co-operated fully with the Information Commissioner and paid the penalty imposed.

"This was an unfortunate breach of data security caused by simple human error and not a systemic problem within the Department. We are satisfied that none of the information was compromised and none of the other cabinets sold contained any files.”

Ford added: "Detailed procedures have now been implemented to ensure that, in future, any personal data contained in furniture that is being disposed of will be dealt with securely."

The highest ever fine imposed by the ICO was £325,000, served on the Brighton and Sussex University Hospitals NHS Trust after hard drives containing patient data were sold on an internet auction site.

The trust initially planned to appeal the fine but paid up in July 2012, with the discount available bringing the total amount down to £260,000.