Safe&Secure Insurance Services, a home insurance provider based in Derby, has signed an undertaking to improve its data protection practices after a hard drive containing personal data about its clients was sold online.
The Information Commissioner’s Office says it discovered that the hard drive had been sold online last year. It contained data including insurance quotes and applications forms. A small number of forms contained sensitive financial data, it says.
Safe&Secure could not explain how the hard drive made its way online. The company did not have an adequate data protection policy, the ICO says, and it did not have a process to ensure that data was wiped before equipment was disposed of.
This is in contravention of the seventh principle of the Data Protection Act, which insists that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data"
In place of a fine, Safe&Secure has agreed to tighten up its security procedures. This includes wiping disks before disposing of them, logging destroyed or decommissioned hardware and introducing a data protection policy.
According to an ICO spokesperson, the reason why this undertaking was revealed so long after the original transgression is that incident emerged as part of an ongoing investigation into unwiped storage media.
The ICO published a guide to wiping data from PCs, laptops and storage devices last week.