• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • Quick Check
      • Starter
      • Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR Fines
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

Penalty for Heathrow Airport for privacy violation

24/04/2019 by Wolfgang Weissinger

Several media have reported that the Information Commissioner’s Office (ICO) has imposed a fine of £120,000 on London Heathrow Airport.

History

According to the chief officer, an employee of the airport has lost a USB stick with confidential information. Among the more than 1,000 stored files were among others:

  • Personal data such as names, birth dates and passport numbers of ten people from a training video
  • Personnel data of up to 50 security employees

Furthermore, it was reported that travel data of the British Queen were also stored on this USB stick, whereby this information was not confirmed by the British data protection authority ICO.

The lost data carrier was found by a British citizen and handed over to a newspaper after inspection. That’s how the ball started rolling.

Legal assessment

So why was this heavy punishment imposed? The loss of a USB stick by an employee cannot be prevented even by the best technical and organizational measures. However, the GDPR requires a level of protection at the “state of the art”. This formulation is not exact and changes continuously in the course of time. For the current period, encryption of removable data carriers, such as USB sticks, external hard disks, etc., is necessary with security. However, the storage medium at the airport was neither equipped with encryption nor with access protection. Due to this shortcoming in the GDPR implementation, access to the USB stick was possible for unauthorized persons.

If, on the other hand, the data carrier had been encrypted, access would have been possible only with the specified password. The Finder of the USB stick could only have deleted the data, but access would not have been possible.

Due to the lack of encryption, the data protection authority has taken action because it is a violation of UK data protection legislation.

Investigation

The data protection violation was reported by the airport to the data protection authority. The GDPR stipulates that such a report must be made within 72 hours of the incident becoming known.

In the course of the investigations of the data protection authority it was found that only about 2% of the Heathrow employees were trained in the area of data protection. In addition, copying data to unprotected USB sticks was a common practice at the airport, although this was prohibited by the guidelines. According to the data protection authority, data protection training could have prevented this practice.

With data protection being addressed not only at board meetings, appropriate guidelines and training are essential to ensure that the personal data of employees and customers is optimally protected.

During the investigation, Heathrow Airport operated an Internet monitoring system. The data lost was actively searched to check whether it was published on the Internet or Darkweb.

Consequences

The UK data protection authority set the penalty at £120,000. The old Data Protection Act, which provided for a maximum penalty of £500,000 and was thus significantly lower than the GDPR maximum penalty, was used as a basis. This amounts to £ 17.000.000,- (€ 20.000.000) or 4% of the worldwide annual turnover. The airport announced that it would accept the penalty.

Conclusion

The data protection violation at Heathrow Airport would have been easy to prevent. The encryption of data carriers would not have allowed unauthorised access to personal data. Instead, it was determined that the company-wide guideline on data protection was not or only partially complied with by employees. It turns out that it is not sufficient to draw up guidelines on the subject of data protection, one must also monitor their enforcement.

The airport got away with a minor fine in this case. With a turnover of around £4 billion, the fine was only £120,000 and only 0.00003% of annual turnover. The penalty was certainly mitigated by the fact that the data breach was reported on time and monitored to see whether the lost data had been made public by third parties.

Category iconGDPR fines

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept