A mortgage company has been found to be in breach of the Data Protection Act after it mistakenly sent personal information relating to over 15,000 mortgages to a member of the public. The monthly analysis report, which contained details of mortgage arrears and repossessions, had originally been intended for an external consultant using a private email address. The individual who received the information had a similar email address. The report had neither been encrypted nor password protected.
Redstone Mortgages has now been required by the Information Commissioner to sign an undertaking relating to all future reports. The investigation revealed that Redstone had been sending data without adequate security measures for a considerable period of time. New security measures will also need to be implemented to prevent such an occurrence from happening again.
If personal data falls into the wrong hands it can potentially be devastating both for the organisation at fault and the victims whose information has been compromised. Under the seventh principle of data protection, any information that could cause damage or distress must be password protected. It is recommended that the password is at least eight characters long, with at least one non-letter character, and upper and lower case letters. Passwords must be sent separately and regularly changed.
Is your organisation fully compliant with the Data Protection Act? For advice, contact us.