Amicus Legal Ltd has been found to breach the Data Protection Act 1998 after a laptop containing personal data relating to 100,000 customers was stolen. The laptop had not been encrypted. Despite the fact that the laptop was owned by a consultant, the Information Commissioner's Office – the regulator in charge of enforcing UK data protection law – threw the book at Amicus and required it to sign a formal undertaking promising to take reasonable measures to keep personal information secure in future. For example, it had to agree that all portable and mobile devices would be encrypted. The ICO said that this case was particularly serious because of the number of people involved and the fact that it involved sensitive information relating to legal advice. Failure to comply with the formal undertaking could lead to action being taken against Amicus in the courts.
Paul Gershlick, editor of Upload-IT, comments: 'Organisations often don't realise the extent to which they're responsible for data which is dealt with by sub-contractors. When you enter an agreement with a self-employed consultant, a web site host, a courier, a business process outsourcing service provider or anyone else who helps you with some aspect of your business, your organisation – rather than the service provider – is considered to be the data controller and on the hook. Data protection law requires you to have a contract with the service provider in which you make clear the security obligations which the service provider needs to take. Having a clear written contract is a good way of dealing with the data protection liability. It could also mean that if the service provider doesn't do what they're supposed to do you could terminate the contract rather than potentially being exposed for wrongfully terminating the contract or being left without a remedy.'
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
