Trust firm lost client’s sensitive data in post
AN ENVELOPE filled with a person’s sensitive banking information was lost in the post, and they were not told for a month.
The Office of Data Protection Authority has now reprimanded local trust company Beauvoir Ltd for failing to take adequate steps to protect the person’s data.
The issue arose when a person was looking to cash in their pension fund, and sent the trust company a collection of notarised ID and financial documentation.
That included copies of their passport, property details, last tax return, the front page of their bank book, details of their savings and a utility bill.
Beauvoir sent these documents by ordinary mail to a third-party organisation. But it never arrived, and as there was no tracking, it could not be found.
Checks were then made and the individual was only told their documents were lost a month later. During this period, no formal breach report was submitted to the ODPA.
The law requires that a controller or processor take reasonable steps to ensure a level of security appropriate to the personal data.
The ODPA in its ruling said that ordinary mail was not appropriate for sending such important and sensitive personal information by post.
‘Due to Beauvoir’s lack of policy surrounding outgoing mail, these documents were sent with an inappropriate level of security, and ultimately led to confusion as to the fate of the personal data in question,’ the report stated.
‘This created stress and frustration for the data subject, who had entrusted Beauvoir with their sensitive personal data and was now potentially at risk from external bad actors, who may be in receipt of the notarised documentation, and choose to target the individual for fraudulent purposes.’
The fact the company did not inform the individual of the loss made the matter worse, as they could not then take action to try and prevent any risks to themselves.
Beauvoir informed the ODPA that procedures had since been updated.
‘It is important that controllers understand the risks associated with sensitive personal data, including the information contained within identification and similar sensitive documentation, implementing protective measures proportionate to the value of this data and the potential impact mishandling could cause to the relevant individuals,’ the regulator said.
‘Additionally, controllers must take steps, not only to prevent the loss of personal data, but to ensure they can quickly identify if and when a breach has occurred, to help limit any perceived impact to the affected data subject in a timely manner.’
