News release: 3 February 2012
A financial services company with operations in the UK, USA and Middle East breached the Data Protection Act by losing over 600 customers’ personal details, the Information Commissioner’s Office (ICO) said today.
E*Trade Securities Ltd discovered that a large number of customer files were missing in April 2010 when they were asked to retrieve archived documents held in a storage facility in the UK. Files containing 608 customers’ personal data remain missing, most of the files included identification documents, proof of address and account application forms.
The company informed the ICO about the breach in December 2010 after all attempts to find the information had failed. Initial enquiries found that E*Trade Securities Ltd did not have a formal agreement in place with the contractor responsible for securely storing their client data.
The company has now agreed to take action to keep the personal information it holds secure. This includes implementing written agreements with UK contractors storing client personal data on its behalf and making sure that appropriate audit trails are in place to record where client files are being sent and stored at all times.
Head of Enforcement, Steve Eckersley, said:
“This breach was caused by the company failing to have the necessary security measures in place to keep their clients’ information secure.
“The fact that customer records are being archived in a storage facility and not regularly accessed does not give businesses license to forget about them. This case demonstrates how important it is to stipulate in writing how long personal information needs to be kept, how regularly it should be reviewed and when it can be securely destroyed.”.
The ICO has produced guidance for organisations who operate and send personal information overseas.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.
4. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press