Conveyancers should note that the Information Commissioner has served two organisations with the first monetary penalties for serious breaches of the Data Protection Act. I believe that at some point a conveyancer will be fined unless standards improve.
Often conveyancers think that breaches of data protection are just about not breaching confidences however the obligations also relate more broadly to risk based procedures for data security protection and precautions over data storage.
In the two recent cases where the ICO imposed a fine the losses related to sensitive personal data such as child sex abuse or criminal histories of data subjects but that does not mean that fines for breaches by conveyancers will not happen in future. In fact in recent months I have seen potential areas of lack of sensitive personal data protection compliance within a number of conveyancing firms.
The first case related to two breaches by Hertfordshire County Council. The Council was fined £100,000 for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
Whilst Conveyancers generally do not hold data about child sex abuse cases or other very sensitive personal data they do tend to hold bank account information, moving dates and often credit card information which is sensitive.
The types of risk that I have seen in the last few years include:-
1) Archived material being stored in unlocked sheds.
2) Firms storing credit card numbers, expiry dates and security code numbers. I have been in two firms in the last 6 months where this information is filed on shelves in accounts departments with no one thinking about the potential risk.
3) Sending information to or from unsecure email accounts.
4) Failing to check that the person you are speaking to on the phone is the person that has a right to receive the data.
5) Failing to train staff in data protection issues and considering potential scams that fraudsters may employ to obtain personal data you hold.
6) Removing files from offices to work on them over night.
7) Easy to breach external access to case management systems e.g. failure to use strong passwords.
Information Commissioner, Christopher Graham, said:
“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”
Conveyancers should also consider the extent to which the financial services sector now sees this as a large area of risk. In my experience after a number of high profile data losses it is now common practice in mortgage lenders to be much more rigorous about data protection issues. The standards in lenders are significantly more controlled than many conveyancers feel is important. Examples of protection that many mortgage lenders conduct include specific and regular training of all their staff, they often operate policies where staff are unable to take their phones to their desks to prohibit data being stored photographically or in other media and they encrypt all their data and provide it to people on a need to know basis only.
It may not be long before a conveyancer is fined for a breach. If you wish to consider these issues in further depth and develop appropriate audit and management processes to avoid this risk please contact Chris Harris ([email protected]
) who would be able to assist.