The Information Commissioner’s Office (ICO) has issued Royal & Sun Alliance Insurance PLC (RSA) with a monetary penalty notice (£150,000) because of a serious breach of the seventh principle (the requirement to keep data secure) of the Data Protection Act 1998 by RSA.
Between 18 May 2015 and 30 July 2015, a portable Network Attached Storage Device (Device) was taken offline and stolen by a member of RSA staff. The Device held personal data sets containing 59,592 customer names, addresses, bank account and sort code numbers and 20,000 customer names, addresses and credit card details (primary account numbers).
This monetary penalty notice provides:
- a timely reminder that the ICO will take robust action against organisations which fail to comply with the requirements of the seventh principle; and
- a useful insight into the types of measures which the ICO expects organisations to take in order to protect personal data (as set out in the monetary penalty notice), which include (but are not limited to): encryption of devices which hold personal data; physically securing devices which hold personal data; and monitoring of physical environments where personal data are stored through the use of CCTV.
The subject of data security is set to become increasingly important in light of the forthcoming General Data Protection Regulation (which applies from 25 May 2018) and increasing media scrutiny regarding data security issues. Organisations need to review (and keep under review) the measures which they implement and maintain to protect personal data (held by the organisation) in order to ensure ongoing compliance with the requirements of data protection law.