The Treasury Solicitor’s Department (TSD) has had to sign a pledge to close “identifiable gaps” in its handling of sensitive personal information, after confessing to serious data protection lapses during litigation.
The Treasury Solicitor, Sir Paul Jenkins, signed an undertaking 1z0-051 to the Information Commissioner’s Office (ICO) to tighten up procedures within six months relating to communications between junior and senior lawyers during disclosure.
It included a “mandatory and comprehensive” training programme for all staff on compliance with the Data Protection Act 1998.
Agreeing to the remedial measures meant the TSD escaped an ICO enforcement notice under section 40 of the Act.
Three of the four self-reported breaches of the Act occurred between August 2011 and November 2012, and consisted of passing on files containing unredacted third-party data to a claimant’s solicitor and then onto the claimant.350-001 The undertaking said: “These incidents resulted in the personal data being disclosed in error to third parties.”
The last breach involved case papers relating to an unfair dismissal claim which were sent to an individual during the claim and contained personal data relating to a separate claim. It “resulted in third-party personal data being disclosed in error,” Sir Paul’s undertaking said.
The ICO, which was told about the breaches on four occasions between February 2012 and January 2013, said that while there had been “some appropriate measures” in place to safeguard personal data, “there are identifiable gaps within those measures which need addressing in order to achieve greater compliance with the Act”. The TSD “could go further” in terms of its processes and training.
Commenting on the seriousness of the breaches, the ICO said some of the data was considered sensitive because it contained information “relating to the commission or the alleged commission of an offence by the affected data subjects”.
The ICO’s head of enforcement, Stephen Eckersley, said: “Data security is only as good as the weakest link in the chain. In this case, the [TSD] provided guidance to staff on how to prepare documents for disclosure, but there were clear gaps in the information provided and it wasn’t understood by their staff. This led to a series of data breaches over a 16-month period that could easily have been avoided.
“The nature of the work carried out by the [TSD] means that they should have recognised that they were failing in their legal duty to keep people’s information secure. However, delays in addressing these issues allowed further breaches to occur, which has resulted in today’s agreement between our office and the department to improve its practices.”
A TSD spokesman told Legal Futures: “This is the first time that [the TSD] has been issued with an undertaking. We have reviewed our practices and put in place additional processes to ensure we avoid this type of breach in the future.
“We take this type of breach very seriously, and reported it to the [ICO] ourselves.
“We acted quickly to retrieve the material as soon as the incidents were brought to our attention We are confident that all material has been recovered and no further dissemination of the material will take place.”