In case 1, the individual would be deemed liable, not the organisation; in case 2 the organisation would be deemed liable rather than the individual. But either way, it's really bad publicity for the organisation.
Charles
Professor Charles Oppenheim
Head
Department of Information Science
Loughborough University
Loughborough
Leics LE11 3TU
Tel 01509-223065
Fax 01509 223053
e mail [log in to unmask]
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Carolyn Howard
Sent: 30 April 2009 15:27
To: [log in to unmask]
Subject: Re: ICO takes enforcement action against Manche ster University for data breach
What would make an organisation more culpable in terms of receiving an enforcement notice from the ICO?
1. An employee deliberately and maliciously breaches DP Principles despite being fully aware that he/she is doing so; and despite the employee's organisation having put into place every possible safeguard and having adequately trained and vetted its staff 2. An employee inadvertently breaches DP Principles because their organisation has never trained them or put into place the appropriate security measures.
I think the ICO would come down more heavily against the organisation in the second situation.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of J.S.M.Whitaker
Sent: 30 April 2009 15:06
To: [log in to unmask]
Subject: Re: [data-protection] ICO takes enforcement action against Manchester University for data breach
Maybe not, but it can be a significant mitigating factor.
Regards
Jim
============================================================================
========
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Simon Howarth
Sent: Thursday, April 30, 2009 12:44 PM
To: [log in to unmask]
Subject: Re: [data-protection] ICO takes enforcement action against Manchester University for data breach
Ignorance is no defence.
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Andrew Cormack
Sent: 30 April 2009 12:24
To: [log in to unmask]
Subject: Re: [data-protection] ICO takes enforcement action against Manchester University for data breach
Manchester's undertaking (on the ICO website) suggests it was misguided rather than malicious:
(from
http://www.ico.gov.uk/upload/documents/library/data_protection/notices/mache
ster_uni_undertaking.pdf)
"
2. The Information Commissioner (the "Commissioner") was provided with a report from [name removed] acting on behalf of the data controller, regarding the accidental publication of a computerised spreadsheet which contained the personal data of some 1,755 students. This data included information relating to certain students 'disabilities' ("sensitive personal data" as defined by the Act). The information was published when a member of the University staff accidentally sent it as an attachment to an email, forwarded to some 469 students.
3. The information accidentally published was forwarded to the staff member by a colleague, when they had requested a list of the email addresses of certain students. An extract of the full student record was provided, despite the fact that the staff member had no business need to acquire the full information, which included "sensitive personal information". This was due to a fault in the relevant procedure, which has since been addressed.
"
Andrew
--
Andrew Cormack, Chief Regulatory Adviser JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
JANET, the UK's education and research network
JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Griffiths, Ian
> Sent: 29 April 2009 16:46
> To: [log in to unmask]
> Subject: Re: ICO takes enforcement action against Manchester
University
> for data breach
>
> Thanks Chris.
>
> I wonder about the motive for such a thing? This doesn't sound
> particularly accidental?
>
> Ian
>
>
>
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of chris pounder
> Sent: 29 April 2009 14:33
> To: [log in to unmask]
> Subject: [data-protection] ICO takes enforcement action against
> Manchester University for data breach
>
> I know there are a lot of academics on the list.
>
> C
>
> From: ICO Press Office [mailto:[log in to unmask]]
> Sent: 29 April 2009 13:59
> Cc: ICO Press Office
> Subject: ICO takes enforcement action against Manchester University
for
> data breach
>
>
>
>
>
> Press Release
>
> 29 April 2009
>
>
> ICO takes enforcement action against Manchester University for data
> breach
>
> The Information Commissioner's Office (ICO) has taken regulatory
action
> against the University of Manchester following a breach of the Data
> Protection Act.
>
> The personal records of over 1,700 students, including information
on
> some students' disabilities, were published when a member of the
> university staff had unauthorised access to the information. The
staff
> member emailed the information as an attachment to 469 other
students.
>
> The University of Manchester has signed a formal undertaking
outlining
> that it will process personal information in line with the Data
> Protection Act. The university will ensure all its staff have
adequate
> training to prevent the inappropriate transfer of information and
take
> all reasonable measures to safeguard personal data from accidental
loss
> or destruction.
>
> Mick Gorrill, Assistant Information Commissioner at the ICO, said:
"The
> Data Protection Act clearly states that organisations, including
> universities, must take appropriate measures to ensure that personal
> information is kept secure. This case reinforces the importance that
> only those authorised should have access to sensitive personal
> information such as a student's disabilities and other health
details.
> Despite the absence of a justifiable reason, the staff member was
able
> to access the information and send it to students and peers which
could
> cause significant distress to individuals concerned.
>
> "Under the Data Protection Act, organisations must ensure that their
> policies on the transfer, sharing and publication of personal
> information are adequate and that staff members are aware and
> understand those policies. Manchester University recognises the
> seriousness of this case and has agreed to take immediate remedial
> action."
>
> Failure to meet the terms of the undertaking is likely to lead to
> enforcement action by the ICO. A copy of the undertaking can be
> downloaded from
> http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
>
> ENDS
>
> If you need more information, please contact the ICO press office on
> 020 7025 7580 or visit the website at: www.ico.gov.uk
> ________________________________________
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> Selected commands (the command has been filled in below in the body
of
> the email if you are receiving emails in HTML format):
> * Leaving this list: send leave data-protection to
> [log in to unmask]
> * Suspending emails from all JISCMail lists: send SET * NOMAIL to
> [log in to unmask]
> * To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> * To receive emails from this list in HTML format: send SET data-
> protection HTML to [log in to unmask] All user commands can be
> found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in
> the
body
> of an otherwise blank email to [log in to unmask] Any queries
> about sending or receiving messages please send to the
list
> owner [log in to unmask]
> (Please send all commands to [log in to unmask] not the list or
> the moderators, and all requests for technical help to
> [log in to unmask], the general office helpline)
> ________________________________________
>
-----------------------------------------------------------------------
> ---------------------
> Please consider the environment before printing this email
>
-----------------------------------------------------------------------
> ---------------------
> This email and any attachments are confidential and intended solely
for
> the use of the individual to whom it is addressed. Any views or
> opinions presented are solely those of the author and do not
> necessarily represent those of Liverpool Community College or
> associated companies. You must not, directly or indirectly, use,
> disclose, distribute, print, or copy any part of this message if you
> are not the intended recipient.
>
> The message content of in-coming emails is automatically scanned to
> identify Spam and viruses otherwise Liverpool Community College does
> not actively monitor content. However, sometimes it will be
necessary
> for Liverpool Community College to access business communications
> during staff absence.
>
> Liverpool Community College has taken steps to ensure that this
email
> and any attachments are virus free. However, it is the
responsibility
> of the recipient to ensure that it is virus free and no
responsibility
> is accepted by Liverpool Community College for any loss or damage
> arising in any way from its use.
>
-----------------------------------------------------------------------
> ---------------------
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask] All user
> commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the
> list owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing
your
> needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
**************************************************************************************************************
This document should only be read by those persons to whom it is addressed, and be used by them for its intended purpose; and must not otherwise be reproduced, copied, disseminated, disclosed, modified, distributed, published or actioned. If you have received this email in error, please notify us immediately by telephone on 01437 764551 and delete it from your computer immediately. This email address must not be passed on to any third party nor be used for any other purpose.
Pembrokeshire County Council Website - http://www.pembrokeshire.gov.uk
Please Note: Incoming and outgoing e-mail messages are routinely monitored for compliance with our IT Security, and Email/Internet Policy.
This signature also confirms that this email message has been swept for the presence of computer viruses and malicious code.
***************************************************************************************************************
Dim ond y sawl y mae'r ddogfen hon wedi'i chyfeirio atynt ddylai ei darllen, a'i defnyddio ganddynt ar gyfer ei dibenion bwriadedig; ac ni ddylid fel arall ei hatgynhyrchu, copio, lledaenu, datgelu, addasu, dosbarthu, cyhoeddi na'i rhoi ar waith chwaith. Os ydych chi wedi derbyn yr e-bost hwn trwy gamgymeriad, byddwch cystal a rhoi gwybod i ni ar unwaith trwy ffonio 01437 764551 a'i ddileu oddi ar eich cyfrifiadur ar unwaith. Ni ddylid rhoi'r cyfeiriad e-bost i unrhyw drydydd parti na'i ddefnyddio ar gyfer unrhyw ddiben arall chwaith.
Gwefan Cyngor Sir Penfro - http://www.pembrokeshire.gov.uk
Sylwer: Mae negeseuon e-bost sy'n cael eu hanfon a'u derbyn yn cael eu monitro'n rheolaidd ar gyfer cydymffurfio â'n Diogelwch TG, a'n Polisi E-bost/Rhyngrwyd.
Mae'r llofnod hwn hefyd yn cadarnhau bod y neges e-bost hon wedi cael ei harchwilio am fodolaeth firysau cyfrifiadurol a chod maleisus.
***************************************************************************************************************
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Carolyn Howard
Solicitor
Leicester City Council
email: [log in to unmask]
ext: 29 6498
tel: 0116 252 6498
(Office hours: Mon a.m./Tue/Thu)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask] All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|