News release: 19 October 2011
A private housing group based in Dorset breached the Data Protection Act by sending the personal data of 200 employees to the wrong email address, the Information Commissioner’s Office (ICO) said today.
In March of this year, an employee of Spectrum Housing Group accidentally emailed a non-secure excel spreadsheet containing employees’ data, including details of their pension contributions, to the wrong external email address. The error was discovered 30 minutes after the email had been sent, at which point the unintended recipient was informed and the data destroyed.
The ICO’s investigation found that at the time of the incident Spectrum Housing did not have a sufficient policy in place to help prevent such incidents and has ordered the company to take action.
Acting Head of Enforcement, Sally Anne Poole said:
“While on this occasion the information compromised was not sensitive, the fact is that at the time of the incident Spectrum Housing Group did not have appropriate controls in place. This case highlights the need for organisations to make sure that adequate checks are in place and documents suitably protected before they are sent out.”
Wayne Morris, Group Chief Executive, of Spectrum Housing Group, has now signed a formal undertaking to ensure that spreadsheets or other documents containing personal data are only sent by email where necessary and only contain the minimum amount of data required. The organisation will also consider, where appropriate, password protecting or encrypting documents containing personal information.
View the undertaking
View all of the ICO's data protection undertakings
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
4. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our For the media page provides more information for journalists.
5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press