Valerie Surgenor and Rebecca Henderson

Heathrow – what went wrong?

The ICO began investigating Heathrow Airport Limited after a member of the public found and viewed a USB memory stick which was not encrypted or password protected when this was lost by a member Heathrow Airport Limited’s staff.

The USB stick contained 76 folders and over 1,000 original files from Heathrow Airport Limited, only one per cent of these files contained personal data. However, one of the files was a training video where the names, dates of birth, vehicle registrations, nationality, passport number and expiry date, roles and mobile numbers of 10 individuals (and some details of another 12-50 people) were visible on the video for around 3 seconds when the video accidentally captured an open ring binder containing the information.

The individual who found the USB stick took this to the press who took copies (and we understand have declined to return these copies, despite repeated requests from Heathrow Airport Limited) and subsequently released a story about the data breach, which was when the ICO became involved.

What did the ICO say?

At the time of the breach, the ICO held that Heathrow Airport Limited freely allowed staff to use removable media such as USB sticks to transport data but did not have adequate measures/protections in place to ensure that it remained in control of data which had been removed from its premises/servers.

Heathrow Airport Limited submitted that it had a number of policies, procedures and messages that were made available to staff regarding personal data and their use of removable media.

However, the ICO found that only around two per cent of employees had received data protection training. Those who had received training were those who were deemed by Heathrow Airport Limited as being most at risk of exposure to personal data.

Action

The ICO held that Heathrow Airport Limited had failed to take “appropriate technical and organisational measures” to prevent loss of data, which was in breach of the seventh data protection principle, namely:

• they did not have in place any measures to prevent staff members downloading personal information onto unencrypted removable media;
• they did not have any measures in place to disable users being able to download data;
• they did not have measures in place to prevent staff members downloading personal data onto personal devices;
• they did not have any way of finding out/recording how many devices were used to remove information from their systems;
• they did not encrypt or password protect data on USB sticks;
• they did not provide sufficient training to staff on data protection; and
• they failed to monitor the implementation and adherence to policies and procedures around removable media.

Therefore, the ICO fined Heathrow Airport Limited £120,000 for the breaches.

Steps to Compliance

The ICO helpfully set out some measures that it would have considered reasonable in the circumstances for Heathrow Airport Limited to have in place at the time, namely:

• encrypting removable devices;
• controlling the number of removable devices used;
• implementing procedures to ensure that personal data couldn’t be downloaded without permission;
• measures in place to monitor compliance with policies/procedures; and
• provision of adequate training.

The ICO made some specific comments about data protection training which are useful for other organisations when thinking about staff training. In the case of Heathrow Airport Limited it considered that two per cent of staff (in this case 130 out of 6,500) was not sufficient to ensure staff were aware of obligations and requirements under data protection legislation. The ICO has made clear in guidance previously that data protection training for staff is key to compliance!

Key Takeaways?

Policies and procedures are of little value where staff are not trained in them and general data protection requirements!