The monetary penalty was served to the Department of Justice Northern Ireland (DoJNI) after the Information Commissioner's Office (ICO) deemed it to have been guilty of a serious breach of data protection laws.
The fine was levied after staff at the Compensation Agency Northern Ireland (CANI), which deals with compensation claims arising out of terrorist incidents in Northern Ireland and which is an agency of DoJNI, failed to check a locked filing cabinet before the piece of furniture was sold at auction at a time when the agency was moving offices.
Inside the filing cabinet were papers dating back to the 1970s which contained "a limited amount of confidential, ministerial advice and highly sensitive personal data relating to victims of a terrorist incident, the injuries suffered, their family details including addresses and in some cases the amount of compensation offered by CANI", according to the ICO's monetary penalty notice (11-page / 131KB PDF).
The individual who bought the filing cabinet reported the data breach to the police in Northern Ireland who returned the papers to CANI.
An investigation by the ICO found failings in the data security policies and practices at CANI and identified three other "near misses" stemming from CANI's office move. It said "tighter controls" should have been in place around data security during the move.
"Although there was an overarching expectation that personal data would be handled securely, the only written instruction to staff in relation to this office move was a Chief Executive’s Notice which stated that ‘Heads of Branch are asked to do a quick check around their offices to ensure that all cupboards, pedestals, cabinets etc. have been accounted for (know where they are going i.e. moving or staying) and that the contents have been packed or disposed of’," the ICO's notice said.
"The Commissioner understands that remedial action has now been taken by [DoJNI] which includes implementing detailed procedures for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another (including furniture that is locked and/or kept in storage) to ensure that, in future, any personal data contained in such furniture will be disposed of promptly and securely," it added.
Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act also requires organisations to ensure that the personal data they hold is "adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed".
The ICO can serve organisations with monetary penalties of up to £500,000 if they breach the Act.
In order for a fine to be justified, an organisation must be guilty of a "serious contravention" of the data protection principles in a way that is "likely to cause substantial damage or substantial distress".
The breach must also be shown to have been either carried out deliberately or by an organisation or person who knew or should have known about the risk of the breach and the damage or distress it could cause but did not take "reasonable steps to prevent the contravention" happening.
"This is clearly a very serious case," the ICO's Assistant Commissioner for Northern Ireland Ken Macdonald said in a statement. "While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning. The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident."