Cause for concern
A recent security breach highlights why social housing providers should consider how they handle data, say legal experts Alison Deighton and Amy Carswell
Data security breaches are a concern for all organisations that store, handle and transmit large amounts of personal data. For registered providers, who in England collectively hold personal information on more than eight million tenants, the importance of data protection is paramount. The failure to protect against data security breaches can lead to serious consequences for housing associations and could lead to the Information Commissioner’s Office imposing fines of up to £500,000.
A recent security breach at a housing association is the latest in a series of high profile data protection breaches in the social housing sector over the last year. The ICO has made it clear that the social housing sector is very much on its radar and associations would be well advised to take the opportunity to review and consolidate their data protection policies and procedures.
In March last year, an employee at the housing association inadvertently emailed a non-secure excel email attachment containing the personal information of 200 employees to the incorrect email address. Although the spreadsheet was initially thought to only contain a small amount of personal data, it was later discovered that further data could be revealed within the spreadsheet. The email attachment contained details of employee pension contributions but did not contain any sensitive personal data.
Within 30 minutes of realising the error, the recipient was contacted and confirmation was received that the email had been deleted. The ICO was alerted of the breach and investigated the matter.
ICO investigation and enforcement action
The ICO investigation revealed that, at the time of the incident, the housing association did not have a clear policy in place in relation to the sending of personal or sensitive personal data by email. Indeed, it was neither policy nor common practice for emails containing personal or sensitive personal data to be encrypted or protected by passwords. It also became evident that the email was sent to the wrong recipient due to the email system automatically predicting the recipient based on previous messages sent by the sender.
Following its investigation the ICO required the group chief executive of the housing association to ensure that the following steps were taken:
- spreadsheets or other documents containing personal data should be sent by email only when necessary and should only contain the minimum data required for the purpose;
- when sending personal data by email, employees should consider whether documents contained personal data should be password protected or encrypted;
- all staff with access to company email accounts should be made aware of the risks of using auto suggested addresses when sending personal data by email;
- staff with responsibility for sending personal data by email should be informed of company policies regarding communication methods; and
- compliance with these policies should be monitored regularly.
Lessons to be learned
The ICO agreed to accept undertakings from the housing association, rather than issuing a formal enforcement notice in part due to the fact that action was immediately taken to ensure that the recipient deleted the email as soon as possible. The fact that no sensitive personal data was included in the document was also a mitigating factor.
It is likely that if sensitive personal data had been involved, more serious enforcement action would have been brought by the ICO – probably in the form of a monetary penalty notice which could be up to £500,000.
The fact that steps had already been taken to prevent similar breaches occurring in the future is also likely to have assisted in the reduced level of enforcement action taken by the ICO.
Other associations facing a similar situation would do well to ensure that they act swiftly to mitigate the immediate consequences of a breach and evaluate how procedures can be changed to reduce the risk of the same type of breach happening again. Having a data breach management plan in place, which sets out the steps that should be taken if a data breach occurs and which indentifies the individuals within the organisation who should be notified of a breach will increase the likelihood of organisations taking mitigating steps as swiftly as possible.
This case also highlights the need to ensure that clear policies and guidelines are in place for all staff who have responsibility for transmitting personal data, whether that is data relating to employees, tenants or other individuals. It is also necessary to monitor compliance with such guidelines and to ensure that all staff receive awareness training so that they understand the steps that should be taken before sending out personal data via any communication channel. Staff need to be aware that particular care must be taken with sensitive personal data.
For more information please contact Alison Deighton on 0117 917 8016 or alison.deighton@TLTsolicitors.com. Alison Deighton is an associate and head of data protection and privacy at national law firm TLT. Visit www.TLTsolicitors.com