ICO raps housing association for inadequate controls after data breach

A housing association has been criticised by the Information Commissioner’s Office for not having appropriate data protection controls in place, after an email containing the personal details of 200 employees was sent to the wrong external address.

The ICO launched an investigation into Spectrum Housing after the incident, which took place in March 2011.

An employee at Spectrum accidentally sent a non-secure Excel spreadsheet that contained employees’ data, including details of their pension contributions. The error was discovered 30 minutes later. The unintended recipient was informed and the data destroyed.

The ICO said its investigation revealed that Spectrum did not have a sufficient policy in place to help prevent such incidents taking place.

Spectrum’s group chief executive, Wayne Morris, has signed an undertaking to ensure that spreadsheets or other documents containing personal data are only sent by email where necessary and only with the minimum amount of data required.

The housing association will also consider, where appropriate, password protection or encryption.

The ICO’s Acting Head of Enforcement, Sally Anne Poole, said: “While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”