Yorkshire Building Society breaches Data Protection Act

ICO finds building society in breach of law over inadequate information security

The ICO has not yet imposed financial penalties for DPA breaches

The Information Commissioner's Office (ICO) has found Yorkshire Building Society (YBS) in breach of the Data Protection Act (DPA) following the theft of an unencrypted laptop. The laptop contained large amounts of personal data concerning building society customers.

The ICO has powers to fine organisations up to £500,000 for serious breaches of the DPA, but to date has not seen fit to use them. In both today's news, and other announcements of breaches by electronic retailer DSG and the Royal Wolverhampton Hospitals NHS Trust, the ICO has required that organisations sign a formal undertaking. This outlines the remedial measures to be taken by companies to ensure future breaches are less likely.

The ICO explained to Computing that it has very specific guidelines on when to invoke monetary penalties, including the necessity for deliberate distress or harm to have been caused to an individual.

The fact that YBS agreed to take action to shore up its data protection policies, and co-operated with the ICO throughout was also taken into account.

Mick Gorrill, head of enforcement at the ICO, said: "It is extremely worrying that an unencrypted laptop containing large amounts of personal data was left unsecured overnight, together with details of its passwords.

"What’s more, the fact that the employee did not require all the information to carry out the task in hand created an unnecessary risk which could easily have been avoided; employees should only have access to information that is absolutely vital to work which is being carried out. I am pleased that the Yorkshire Building Society took such prompt and effective action and am satisfied that steps are now in place to prevent this happening again.”