ICO takes action over missing evidence DVD
A Scottish legal firm has been required to give an undertaking to the Information Commissioner's Office after a DVD with evidence relating to a criminal trial went missing.
Ayr solicitors Martin & Co were to be issued with the DVD, which contained video footage, by the procurator fiscal's office in Kilmarnock. The DVD was collected for Martin & Co by a colleague from another firm, but was mislaid before it reached Martin & Co.
While the ICO recognised that the DVD was not in the possession of Martin & Co when it was lost, the undertaking records that "the Commissioner’s enquiries into this incident have identified a number of shortcomings in the organisation’s procedures. In particular, the Commissioner’s investigation determined that guidance to staff regarding data protection compliance was lacking, as was training. It was also determined that there was a lack of a formal procedure for staff to follow when arranging to collect personal data outside of the office environment".
This is relevant to the seventh data protection principle in the Data Protection Act 1998 – that data security is to be achieved by use of appropriate technical and organisational measures. In terms of the undertaking, appropriate procedures for the collection of paper and electronic media containing personal and sensitive
personal data from third parties will be implemented within three months; safeguards will be put in place to
ensure encryption of portable media used to store and transmit sensitive personal data; a data protection policy will be implemented within three months, with appropriate training for staff, including on induction and with annual refreshers; and such other security measures will be taken as are appropriate to ensure that
personal data is protected against unauthorised and unlawful processing, accidental loss, destruction,
and/or damage.
No money penalty was imposed.
The undertaking can be found on the ICO website.