Out-Law News 2 min. read
05 Dec 2012, 4:26 pm
O2 has apologised to customers, but the company has said that it is unsure how many customers, if any at all, are affected by the data loss.
In a notice published on its website, O2 said that it is unsure exactly what information is contained on the tape which it said IBM, its "IT support partner" in Ireland, had "misplaced" in September last year. O2 said IBM informed it about the lost tape in the summer. O2 said that the information on the tape, although unencrypted, can only be accessed using "specialist technology", and that there is only a "low risk" to customer privacy.
The company said it had notified the Irish data protection watchdog, the Office of the Data Protection Commissioner, of the issue. It said it has also taken action to ensure that there will not be a repeat incident. It is the first incident of its kind O2 has experienced, according to the telecoms firm.
"The tape in question was part of a set of tapes used for daily backups of O2's systems and contained a snapshot of data at a particular moment in time, including files from O2's internal corporate drives," O2 said in its website notice. "While it is possible that it could contain some personal data, it is more likely that it simply contained information about O2's normal business affairs and company information."
"While the tape has been lost, it is likely still in an O2 building. As a result we believe there is a low risk to customer data privacy," it added. "We are not aware of any incident since the tape was misplaced whereby data that might have been on the tape was accessed or used."
"O2 sincerely apologises to its customers that the incident in question occurred. We also want to reassure customers that stringent measures have since been taken to ensure such an incident does not happen again. We have undertaken a full review of the process around the handling of back-up tapes to ensure this does not happen again," the company said.
In the UK there are specific rules 'data controllers' must adhere to when outsourcing the processing of personal data they are responsible for to other companies.
Under the Data Protection Act (DPA) data controllers are required to take "appropriate technical and organisational measures" to ensure against the "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
When outsourcing personal data processing to others, data controllers are required to select processors that can provide "sufficient guarantees" that they can properly meet the "technical and organisational measures" requirement and that they will "take reasonable steps" to "ensure compliance".
The data controllers must also establish a written contract with data processors specifying that the processor may only undertake processing activities that the controller tasks them with, whilst the contract must also hold the processors to meeting the "technical and organisational measures" requirement of the DPA. The data controller is responsible for those personal data security standards being met by the processors to which they outsource.
Further rules apply to personal data processing where the processing by outsourcing firms takes place outside the European Economic Area.
