FOI reference - FOI 2012-07-31
Date - 31/07/2012

Request

Details of incidents when the Data Protection Act has been breached, including data lost, by the regulator's employees and contractors over the past three years.

For clarity, the definition of the 'past three years' is the period from 1st July 2009 to 1st July 2012.

To be clear I am requesting:

  1. The total number of times there has been a breach of the Data Protection Act including data loss in the period.
  2. The total number of employees that have been disciplined internally for breaches of Data Protection Act in the period.
  3. Please also provide details of each breach of the Data Protection Act, for example the type of data that was involved and the number of people affected.
  4. Details of action taken, including whether each breach was reported to the Information Commissioner's Office.

Response

Duty to confirm or deny whether the regulator holds information requested

I can confirm that The Pensions Regulator does hold information relating to incidents when the Data Protection Act has been breached, including the data lost by employees and contractors, over the three year period of 1 July 2009 to 1 July 2012.

Information we are able to supply

The Pensions Regulator has a policy of self-reporting any serious or potentially serious breach of the Data Protection Act to the Information Commissioner's Office (ICO), in line with the ICO's guidance on the notification of data security breaches.

You will note from the information provided that a number of potential breaches or breaches of the DPA were not escalated to the ICO. This was either because data was retrieved through actions taken by staff of the regulator, or because any breach that did occur was determined not to be a serious breach in terms of the considerations set out in the ICO's guidance (potential harm to data subjects, or the volume or sensitivity of the personal data involved).

Breach - disclosure of information in a determination notice

A determination notice is a record of decisions taken by the Determinations Panel of The Pensions Regulator. It sets out what powers the regulator has exercised or will exercise, what facts were used to reach the decision and the reasons for the decision.

Data affected

Personal data - the identity of an individual involved in the case could be deduced from details left un-redacted in the published version.

Disciplinary action taken

None.

Action taken including notification to ICO

Self-reported to the ICO. Information was immediately removed from website and individual contacted. ICO considered mitigating action had been sufficient to ensure no detriment was caused to individual and no further action was taken.

Breach - meeting papers left in bag on train

Data affected

Individual member of staff named and salary information relating to their role.

Disciplinary action taken

None.

Action taken including notification to ICO

Bag was handed in at the next station and was intact. The salary information was already in the public domain. The data subject to whom the salary information related was informed of the loss and then subsequent retrieval. Did not meet the criteria for self-reporting to the ICO.

Breach - email sent in error to wrong recipient

Data affected

Name, contact number and email address of trustees

Disciplinary action taken

None.

Action taken including notification to ICO

Emails were recalled. The recipient was asked to delete the email and confirm that it had been deleted. Trustees were acting in a professional capacity through organisations. Follow up training delivered to the team. Did not meet the criteria for self-reporting to the ICO.

Breach - briefing papers left in bag on train

Briefing papers left in bag on train.

Data affected

Personal data.

Disciplinary action taken

None

Action taken including notification to ICO

Station master contacted a loss formally reported. Bag was handed in at the next station. No documents were missing, and documents did not appear to have been disturbed. Papers were subsequently published on website by originator. Did not meet the criteria for self-reporting to the ICO.

 

© The Pensions Regulator