Privacy Advisor

Global Privacy Dispatches- UK

May 1, 2008

By Michael Spadea, CIPP

UK Financial Services Firm Signs ICO Undertaking

Skipton Financial Services has signed an undertaking requiring it to encrypt personal data stored on laptops after a laptop containing the financial details of 14,000 customers was stolen from a contractor. The laptop contained names, dates of birth, national insurance numbers and investment amounts. This is the latest Information Commissioner Office (ICO) action pushing encryption of personal data on laptops. Businesses under ICO jurisdiction should require service providers to encrypt personal data stored on laptop computers and also, perhaps, on all portable storage devices. Relevant language should be either in the body of the agreement or in the attached security schedule.

London Police Regularly Access Public Transport Records

In the past year, London Police have made more than 3,000 requests for passenger journey details on London public transportation. Passengers who use the Oyster card, a contactless smartcard, have their trip data stored for two months. Passengers who register their cards with Transport for London to protect against theft have their personal information linked with their trip details. The concern is that transit users are not informed that their data may be shared with the police or that their data is retained for two months. Transport for London states that the ICO is familiar with the details of the Oyster card system and has not expressed any concern.

NHS Laptop Containing Sexual and Physical Abuse Histories Stolen


Over the past five years, nearly 200 electronic devices from Lothian public bodies (a region in Scotland) have gone missing. One such device contained the psychiatric and personal history of a person who had been physically and sexually abused. That device, a laptop, was stolen from a consultant in October 2005, but is only now being made public. Edinburgh University, where the study was being conducted, stated that the data was wrongly downloaded, but that they have since changed their policies to prevent a recurrence.

Terminal 5: Business v. Security


The British Airport Authority is under fire from the ICO for its decision to use fingerprints to log entry and exit to the departure lounge. The BAA's business model is to allow all passengers, whether international or domestic travellers, to access the shops and restaurants in Terminal 5. The physical configuration that allows this has created a security vulnerability: an individual seeking to enter the country illegally could swap tickets in the lounge and slip into the UK via a regional airport without going through immigration. The same configuration exists at Gatwick airport, but instead of fingerprinting, a photo is taken and a barcode is attached to the boarding pass. The ICO is concerned that fingerprinting is too intrusive and has requested additional information. Both the BAA and the government blame each other for the problem and the solution.

Michael Spadea is a London-based privacy attorney. He may be reached at mspadea@gmail.com, or at +44 (077) 80624543.