Several media have reported that the Information Commissioner’s Office (ICO) has imposed a fine of £120,000 on London Heathrow Airport.
History
According to the chief officer, an employee of the airport has lost a USB stick with confidential information. Among the more than 1,000 stored files were among others:
- Personal data such as names, birth dates and passport numbers of ten people from a training video
- Personnel data of up to 50 security employees
Furthermore, it was reported that travel data of the British Queen were also stored on this USB stick, whereby this information was not confirmed by the British data protection authority ICO.
The lost data carrier was found by a British citizen and handed over to a newspaper after inspection. That’s how the ball started rolling.
Legal assessment
So why was this heavy punishment imposed? The loss of a USB stick by an employee cannot be prevented even by the best technical and organizational measures. However, the GDPR requires a level of protection at the “state of the art”. This formulation is not exact and changes continuously in the course of time. For the current period, encryption of removable data carriers, such as USB sticks, external hard disks, etc., is necessary with security. However, the storage medium at the airport was neither equipped with encryption nor with access protection. Due to this shortcoming in the GDPR implementation, access to the USB stick was possible for unauthorized persons.
If, on the other hand, the data carrier had been encrypted, access would have been possible only with the specified password. The Finder of the USB stick could only have deleted the data, but access would not have been possible.
Due to the lack of encryption, the data protection authority has taken action because it is a violation of UK data protection legislation.
Investigation
The data protection violation was reported by the airport to the data protection authority. The GDPR stipulates that such a report must be made within 72 hours of the incident becoming known.
In the course of the investigations of the data protection authority it was found that only about 2% of the Heathrow employees were trained in the area of data protection. In addition, copying data to unprotected USB sticks was a common practice at the airport, although this was prohibited by the guidelines. According to the data protection authority, data protection training could have prevented this practice.
With data protection being addressed not only at board meetings, appropriate guidelines and training are essential to ensure that the personal data of employees and customers is optimally protected.
During the investigation, Heathrow Airport operated an Internet monitoring system. The data lost was actively searched to check whether it was published on the Internet or Darkweb.
Consequences
The UK data protection authority set the penalty at £120,000. The old Data Protection Act, which provided for a maximum penalty of £500,000 and was thus significantly lower than the GDPR maximum penalty, was used as a basis. This amounts to £ 17.000.000,- (€ 20.000.000) or 4% of the worldwide annual turnover. The airport announced that it would accept the penalty.
Conclusion
The data protection violation at Heathrow Airport would have been easy to prevent. The encryption of data carriers would not have allowed unauthorised access to personal data. Instead, it was determined that the company-wide guideline on data protection was not or only partially complied with by employees. It turns out that it is not sufficient to draw up guidelines on the subject of data protection, one must also monitor their enforcement.
The airport got away with a minor fine in this case. With a turnover of around £4 billion, the fine was only £120,000 and only 0.00003% of annual turnover. The penalty was certainly mitigated by the fact that the data breach was reported on time and monitored to see whether the lost data had been made public by third parties.