£180,000 fine for failing to protect “personal data”

Meet the team:

  • Tel: +44 (0) 161 829 2599
berg logo
Share this post: linkedin Twitter facebookshare Email
Posted in:Corporate and Commercial|September 30, 2015 | Join the mailing list

The Information Commissioner’s Office (“ICO”) has fined Instant Cash Loans Ltd (t/a The Money Shop) £180,000 when The Money Shop had a server which held customer and employee records stolen from
it in April 2014 and a second server lost in transport between its premises in May 2014.

The Data Protection Act 1998 (“DPA”) has eight principles set out within its Schedule 1. The ICO found that The Money Shop breached principle seven, which
states that measures shall be taken against: unlawful processing of; accidental loss of; destruction of; or damage to personal data.

The ICO found that not all of The Money Shop’s premises had a “safe haven” where servers could be locked overnight, nor did it encrypt the personal data held on its servers.

The size of the fine reflects the ICO’s view that the acts were likely to cause substantial distress and loss. In its reasoning the ICO considered the number of affected
individuals, the nature of the data, the fact that the data could be used for fraudulent purposes and also that the servers were not recovered.

The substantial fine should be a reminder to all “data controllers” under the DPA (i.e. the business or entity which determines how and why data is to be processed) to
review their data protection practices and to ensure that they comply with the DPA.

A failure to comply with the DPA, even if that failure is highlighted by the legal or illegal acts of an unconnected third party, may cause serious consequences for the
“data controller” in question.

Should you have any queries regarding data protection or the Data Protection Act 1998, please contact Stephen Foster, Partner and Head of the Corporate and Commercial Department at stephenf@berg.co.uk
or by telephoning 0161 833 9211.


The information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice.  No responsibility for its accuracy or
correctness is assumed by berg or any of its partners or employees.  Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.

Join our mailing list

More from berg



"berg achieved exactly the right balance, protecting revenue streams and safeguarding against risk while maintaining our commercial and competitive approach"

Generis Technology Limited