In November, a barrister left some bulky files relating to a court hearing locked in her car overnight. Her car was broken into and the files stolen. The stolen files were not recovered and the Information Commissioner got involved, investigating whether the barrister had failed to comply with her obligations as a data controller under the UK Data Protection Act 1998. In March of this year, the barrister signed an Undertaking committing herself to comply with the Seventh Data Protection Principle which requires that appropriate measures are taken to guard against the loss or destruction of personal data. The terms of the Undertaking make it clear that where files containing personal data are removed from the security of the office, they must be subject to appropriate security and “kept in a locked storage place”.
The worrying thing for anybody who has ever taken work home is that the guidance issued by the Information Commissioner, and indeed the terms of this particular Undertaking, do not dictate a minimum level of security. Previous guidance notes from the Information Commissioner make it clear that the level of security required will depend upon how sensitive the personal data concerned is and how damaging or distressing its loss would be. The more sensitive the data, the more careful you are expected to be.
In terms of physical security, the clear conclusion to be drawn from events in Bristol must be that a locked car parked on a public street overnight is not considered secure. Especially where the information concerned is sensitive personal data. The reference to a “locked storage place” suggests that the information needs to be stored somewhere in a building. But it is not clear whether the Information Commissioner will go further and expect a “locked storage place” to mean a locked room or cupboard or a strong box or safe.
There is another lesson we can learn from the barrister’s experience: possibly the best way to minimise the risk is not to take work home with you…
The ICO’s guidance is here: