These stories, based on FOI requests, often pitch up don't they? But the headline here throws into focus an important misunderstanding - an incident of loss/disclosure etc of personal data (what is commonly called a "data breach") is not necessarily a breach of the law. As we all know DPP7 only requires a data controller to take "appropriate" preventative measures, and "reasonable" steps to ensure employee reliability. If DPP7 is complied with then it is unlikely that "data protection law" will have been broken.
The breach notification requirements in PECR define a "data breach" and make clear that a "data breach" is not necessarily a contravention of the law.
Stories like this risk data controllers (and staff) being less open about logging incidents.
I did a rather rambling blog post on this issue recently.
http://informationrightsandwrongs.com/?s=Morrisons&submit=Search
Jon Baines
Chairman
http://nadpo.org.uk
On 10 Apr 2014, at 23:21, "Chris Pounder" <[log in to unmask]<mailto:[log in to unmask]>> wrote:
http://www.bbc.co.uk/news/uk-wales-26775603
Welsh councils broke data protection laws 135 times
By Alun Jones BBC Wales political unit
Five of the 22 local authorities said they had recorded no breaches last year
Councils in Wales broke data protection laws twice as often last year as they did in 2012, BBC Wales has learned.
Examples included a bag containing papers for a court case being left on a train, and sensitive personal data appearing on a website.
The laws were broken 135 times in 2013 compared to 60 breaches in 2012<http://www.bbc.co.uk/news/uk-wales-23581684>.
The Information Commissioner's Office (ICO) called for effective data handling to be "hardwired" into the culture of local authorities.
The details from the 22 councils have been obtained by BBC Wales through a Freedom of Information request.
It showed:
· There were 45 breaches at Powys council of which 25 were confined internally to the council, while four were due to external providers of services and six were still under investigation. The council said training and revision of policies had been carried out since
· Cardiff council recorded 14 breaches including financial information about 15 employees being given to third parties and information being stolen from an employee's car. A spokesperson said a number of new measures have been introduced
· At Wrexham council there were 13 incidents, including one in the adult social care department where personal information was passed incorrectly to a third party
· Gwynedd council had 10 breaches including personal details being mistakenly sent, and letters and emails being sent to the wrong people
· Flintshire and Newport councils each recorded nine breaches, including a fax containing personal data being sent to the wrong care provider and "lost or stolen paperwork"
· Caerphilly council said six breaches had occurred, one of which was a person's personal data being lost within the authority
· A bag containing papers for a court case being left on a train, documents stolen from a private residence, and a letter, fax and email were sent to the wrong people were among five breaches at Anglesey council
· Carmarthenshire council had five breaches, while Merthyr had four, Denbighshire reported three breaches and there were two at Pembrokeshire
· Bridgend council had three breaches including a laptop being stolen from a car and a document containing sensitive personal data being sent to the wrong printer
· Rhondda Cynon Taf council self-reported one breach to the ICO about disclosing personal information through email by accident and Torfaen council had one breach which was an email with personal information sent to the wrong recipient
· Monmouthshire councilsaid there "were no significant breaches in 2013" while Conwy council said "some events occurred which included sending emails, a fax and correspondence to unintended recipients, and information stolen from a vehicle/property"
Five of the 22 councils - Blaenau Gwent, Ceredigion, Neath Port Talbot, Vale of Glamorgan and Swansea said they had recorded no breaches last year
Anne Jones, Assistant Information Commissioner for Wales, said: "It's important local authorities live up to their legal responsibilities under the Data Protection Act. "Keeping people's personal information secure should be hardwired into their culture as losses can seriously affect reputations and as a consequence, service delivery".
________________________________
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
* Leaving this list: send leave data-protection to [log in to unmask]<mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
* Suspending emails from all JISCMail lists: send SET * NOMAIL to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
* To receive emails from this list in text format: send SET data-protection NOHTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
* To receive emails from this list in HTML format: send SET data-protection HTML to [log in to unmask]<mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]<mailto:[log in to unmask]>
Any queries about sending or receiving messages please send to the list owner [log in to unmask]<mailto:[log in to unmask]>
(Please send all commands to [log in to unmask]<mailto:[log in to unmask]> not the list or the moderators, and all requests for technical help to [log in to unmask]<mailto:[log in to unmask]>, the general office helpline)
________________________________
Buckinghamshire County Council
Visit our Web Site : http://www.buckscc.gov.uk
Buckinghamshire County Council Email Disclaimer
This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author or [log in to unmask] immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents.
Buckinghamshire County Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this email.
All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation.
The views expressed in this email are not necessarily those of Buckinghamshire County Council unless explicitly stated.
This footnote also confirms that this email has been swept for content and for the presence of computer viruses.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
