How do you send your sensitive information?
ICO fine for missing police DVDs sent using Recorded Delivery
Greater Manchester Police has been fined £150,000 after 3 DVDs containing footage of interviews with victims of serious violent crime failed to reach their intended recipient, the National Crime Agency.
The fine (“monetary penalty notice”) was levelled by the Information Commissioner after 3 unencrypted DVDs were sent Recorded Delivery but got lost in the post. Recorded delivery only requires a signature at the point of delivery, whereas Special Delivery tracks the item through the postal system. Various pieces of guidance to the police suggest Recorded Delivery is not secure enough for highly sensitive information, and that special delivery or couriers should be used in preference. Accordingly the ICO found that Greater Manchester Police had failed to put in place appropriate security measures when deciding how to send the information. It appears from the monetary penalty notice that there was no option to encrypt the DVDs in this particular case, but no further explanation further is given as to why that was the case and the ICO went on to conclude that not password protecting the DVDs was an aggravating factor. The notice imposing the fine can be viewed here:
What to take away from this case
The case is relevant to all our clients, who are responsible for handling sensitive information of various kinds – whether medical records, police interview footage, or regulatory information. The monetary penalty notice demonstrates that the ICO will issue monetary penalty notices in cases where the loss is beyond the direct control of the organisation handling the data, and accordingly care needs to be taken in terms of making sure that such information is sent in a way where the security measures in place for transit reflects the sensitivity of the information. Whilst many would think there is little difference between ‘recorded’ and ‘special’ delivery in terms of security of items in the post, the ICO found that there was sufficient difference to warrant a fine.
The case also demonstrates the importance of encryption/password protection as a key way of securing data in transit – whether electronically or via physical media - , and so this technology should be used wherever possible. This is of increasing importance as encryption is specifically referred to in the new General Data Protection Regulation as a technique for increasing security. Organisations should have in place a policy (and adhere to any sector-specific guidance) for transfer of sensitive information and ensure that this is followed. Whilst the ICO suggests couriers are ‘more secure’ than recorded delivery, reputable courier firms should be used, and a written contract put in place with them setting out any particular security requirements the sending organisation expects the courier to implement.
How we can help
Capsticks has excellent experience in all information law matters – including advisory, transactional, and litigation work. We help organisations respond to information security incidents, including liaising with the Information Commissioner, affected data subjects, and other organisations. Of course, prevention is better than cure where possible, and we can also assist with developing and reviewing your information governance policies and procedures, and in preparing for the changes under the General Data Protection Regulation.