UK privacy watchdog reveals more than two dozen data breach incidents
The Information Commissioner’s Office (ICO), the United Kingdom’s data protection regulator, has published the details of more than two dozen data protection incidents in which it reprimanded rather than fined the guilty organizations.
The incidents include mistakes where domestic abuse victims had the address of their emergency accommodation shared with their abusers and even led to an individual being wrongfully arrested for creating images of child sexual abuse.
Historically, the ICO has only published enforcement notices alongside fines and the summaries of its audit reports on its website. However, on Tuesday it said that it was introducing a new policy in which it would also publish reprimands, “unless there is a good reason not to, such as matters of national security or that it is likely to jeopardize any ongoing investigation.”
Issuing reprimands is also part of a purposeful strategy from the regulator to reduce the impact of fines on the public by holding back monetary penalties unless they are “truly needed.”
Many of the more than two dozen reprimands are for incidents which have not previously been disclosed, and some form part of ongoing cases.
They reveal the range of the regulator’s work, although the list on the ICO’s website does not summarize what each reprimand was for – instead just linking to the formal documents.
The Record provides a summary below and has highlighted the most extraordinary cases:
- January 18 – Welsh Language Commissioner: The Welsh Language Commissioner, which promotes the use of the Welsh language, was reprimanded over a ransomware incident which took place in December 2020. In particular it was criticized for failing to keep its systems patched and updated, for having switched off logging/auditing, and because its backups, which were also encrypted, were accessible from the organization’s main network.
- February 24 – Scottish Government, NHS National Services Scotland: The Scottish Government was criticized for its data protection efforts around the nation’s COVID-19 status app, which in particular would have allowed the app’s third party ID verification provider to retain users’ images to train its facial recognition algorithm.
- March 2 – Chief Constable of North Yorkshire Police: North Yorkshire Police were criticized for an incident in 2018 in which the force generated a duplicate Single Justice Procedure (SJP) — a rapid process in which a case is decided without going to court — that led to an individual being convicted of the same driving offense twice.
- April 7 – Epsom and St Helier University Hospitals NHS Trust: The NHS Trust was reprimanded after sending incorrect COVID-19 test result data which resulted in individuals wrongly being instructed to isolate by NHS Test and Trace. This resulted in the one-day closure of three local schools, including a special needs school and a special needs nursery.
- April 7 – North Yorkshire County Council: The council was reprimanded after an employee’s mistake resulted in two envelopes with multiple letters containing personal information being sent to two different recipients.
- May 9 – NHS Blood and Transplant: The NHS Blood and Transplant service was reprimanded instead of being issued a fine of just under £750,000 for a coding error that could have caused potential harm to people on the non-urgent transplant list.
- May 17 – Warrington and Halton Hospitals NHS Foundation Trust: The Trust was reprimanded over an incident in which the wrong patient’s records were released to a different patient’s family.
- May 19 – Probation Board for Northern Ireland: The Probation Board was criticized for sending out calendar invites to convicted criminals on probation to join a WebEx chat in a way that revealed the email addresses of all of the individuals who were being invited. “A recipient of these emails could infer that the other names in the group had been convicted of domestic violence or sexual abuse and therefore there is a risk of damage or distress to the data subjects.”
- June 7 – Bolton at Home: Bolton at Home, a service supporting domestic abuse victims, had been contacted by a woman seeking alternative accommodation. The organization left a message on her husband’s phone number, who she was intending to leave, which contained details of the new address where she planned to move.
- June 29 – Allied Health Professionals: Allied Health Professional’s IT provider, Infotex, made changes to the organization’s systems which made the data of 2,573 patients accessible to health care providers without their consent.
- July 11 – Department of Health and Social Care: The government department has been reprimanded as part of an ongoing investigation by the ICO into personal data being sent via private communications channels.
- July 26 – London Borough of Croydon: The local authority was reprimanded for failing to comply with Subject Access Requests, a request under the U.K.’s data protection legislation in which a person exercises their right to access any information that an organization holds about them.
- July 26 – Grindr LLC: The dating app Grindr was reprimanded for failing to transparently inform users about how it processes their data.
- July 27 – Ministry of Defence: The Ministry of Defence was reprimanded for its failures to comply with Subject Access Requests as part of an ongoing investigation.
- August 16 – Secretary of State for the Home Department (Home Office): The government department was reprimanded after an employee, as part of an education programme for Home Office staff, conducted interviews with people affected by the UK’s “Windrush scandal,” and recorded them on her personal phone and uploaded them to her personal YouTube account, outside of Home Office systems.
- August 19 – Jackson Quinn: The family-focused law firm was reprimanded for inappropriately disclosing information contained in a legal bundle of adoption documents to the birth father of the children, who is currently serving a custodial prison sentence for three convictions of rape of the mother and one conviction of assault by penetration. “He is therefore deemed to pose a high risk to the mother and there is concern that he may attempt to use information disclosed within [the reports] to locate her, her husband and the children and seek to cause them harm.”
- August 26 – South Wales Police: The force was reprimanded over two incidents in which the identities of women who had applied for information under the Domestic Violence Disclosure Scheme and the Child Sex Offender Disclosure Scheme were disclosed to the individuals they were requesting information about, or to the individuals’ partners. In one case, the partner had previous convictions for violence and sexual assault.
- September 20 – Virgin Media Limited: The telecommunications company was reprimanded for failures regarding its response to Subject Access Requests.
- September 21 – Secretary of State for the Home Department (Home Office): The Home Office was reprimanded for failures regarding its response to Subject Access Requests.
- September 21 – London Borough of Hackney: The local authority was reprimanded regarding its responses to Subject Access Requests.
- September 22 – Wakefield Council: The council was reprimanded after sending a court bundle, as part of Child Protection Legal Proceedings, which included the home address of the mother and her two children to the children’s father. The mother was described as fearful of the father due to a history of ongoing domestic violence and a break in to her previous accommodation. “As a result of the breach, the mother and her children had to be moved into emergency alternative accommodation on the same day of the breach.”
- September 23 – Lambeth Council: The council for the London borough was reprimanded regarding its response to Subject Access Requests.
- September 23 – Chief Constable of Kent Police: The force was reprimanded over Subject Access Request compliance.
- October 7 – Secretary of State for the Home Department (Home Office): The government department was reprimanded after an envelope containing four documents classified ‘Official Sensitive’ was found at a venue in London. The Home Office failed to report the data breach for seven months, far in excess of the 72 hours allowed under data protection laws.
- October 31 – Department for Work and Pensions: The government department failed to test a software application that redacted official documents, resulting in the redactions not appearing in official material when printed. This resulted in the inappropriate disclosure of 16 data subjects’ personal data to third parties. Included was a person’s address, disclosed to their ex-partner with a history of domestic violence.
- November 2 – Department for Education: The government department gave a third party access to a database containing 28 million records, some of which pertained to children aged 14 and older.
- November 2 – North Yorkshire Police: North Yorkshire Police was reprimanded for making a data processing error that led to an innocent person being wrongly arrested in August 2019 for the serious offense of making indecent images of children. The person’s home was searched and three of their electronic devices were seized. The mistake wasn’t discovered until a Friday at the end of November, but the individual who had been wrongly arrested wasn’t informed until the relevant manager returned to work on Monday. The innocent person had been wrongly identified due to a human error entering in the date as part of an IP resolution request. Although many police forces now have systems in place to allow officers to copy and paste dates and IP addresses, historically IP resolution errors — errors when resolving an IP address to a real-world address — have led to dozens of innocent people being arrested in the UK, and even one family having their children taken away for a weekend while the parents were questioned.
- November 10 – Royal Free London NHS Foundation Trust: The Royal Free was reprimanded after nine years of medical hysteroscopy scans held on USB sticks were lost, either as the result of the data becoming corrupted or the institution having forgotten the passwords.
“Ultimately, we want to be transparent with the public when we hold a business or organization to account and what they need to do to improve their practices,” stated the ICO.
“We also want the wider economy to learn from those reprimands. By reading about where an organization failed to comply with data protection laws, we hope that others will understand what went wrong and what they need to do if they find themselves in a similar scenario.”