Red faces at Treasury Solicitor’s after data breaches during litigation

The self-reported breaches took place between August 2011 and November 2012. Three involved case files being sent to a claimant’s solicitor and then on to the claimant during the course of litigation with un-redacted third party personal data contained within them.

“These incidents resulted in the personal data being disclosed in error to third parties,” the undertaking said.

The fourth breach (also self-reported) involved a bundle of case papers relating to an unfair dismissal claim.

“These were sent to an individual during the process of the claim and contained personal data relating to another individual’s separate claim,” the undertaking revealed. “This incident resulted in third party personal data being disclosed in error.”

During the course of its investigation, the ICO found that:

• Although the Treasury Solicitor’s Department had some appropriate measures in place to safe guard personal data, there were identifiable gaps within those measures which needed addressing in order to achieve greater compliance with the DPA. “For example in each of the three breaches referenced above some but not all third party personal data had been redacted prior to the disclosures being made";
• Staff at the Department had evidently been made aware of their obligations under the Act and had the knowledge and tools to comply with the Act’s requirements “but the data controller [the department] could go further in terms of its processes and training to ensure future compliance.”

Some of the data compromised in the incidents consisted of information relating to the commission or the alleged commission of an offence by the affected data subjects.

The Treasury Solicitor’s Department has now agreed with the ICO that:

1. A clear, documented procedure for staff to follow when preparing information for disclosure will be implemented within six months. “This should incorporate a defined checking process with emphasis on the steps to be taken prior to release. The procedure should account for both sensitive personal data and personal data relating to third parties”;
2. The communication requirements between junior and senior lawyers carrying out the disclosure process will be defined by a structured, formal procedure with clear lines of communication and implemented within six months. “The responsibilities of staff members should be clearly explained within this procedure”; and
3. A mandatory and comprehensive training programme regarding compliance with the Act for all new and existing staff will be put in place within six months. “This should include how training will be presented, tested, refreshed and the frequency of delivery for each.”

ICO Head of Enforcement, Stephen Eckersley, said: “Data security is only as good as the weakest link in the chain. In this case, the Treasury Solicitor’s Department provided guidance to staff on how to prepare documents for disclosure, but there were clear gaps in the information provided and it wasn’t understood by their staff. This led to a series of data breaches over a 16-month period that could easily have been avoided.  

“The nature of the work carried out by the Treasury Solicitor’s Department means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.”

A copy of the undertaking can be viewed here.

A spokesperson for the Treasury Solicitor's Department said: "This is the first time that TSol has been issued with an undertaking. We have reviewed our practices and put in place additional processes to ensure we avoid this type of breach in the future.

"We take this type of breach very seriously, and reported it to the Information Commissioner ourselves. We acted quickly to retrieve the material as soon as the incidents were brought to our attention. We are confident that all material has been recovered and no further dissemination of the material will take place."