Monetary Penalty Notice for British Pregnancy Advice Service

March 7, 2014

The British Pregnancy Advice Service (BPAS) has had a monetary penalty notice requiring a payment of £200,000 imposed upon it after a breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker.

An ICO investigation found the charity did not realise that its web site was storing the names, address, date of birth and telephone number of people who asked for a call back for advice on pregnancy issues. The personal data was not stored securely and a vulnerability in the web site’s code allowed the hacker to access the system and locate the information.

The hacker threatened to publish the names of the individuals whose details he had accessed, though that was prevented after the information was recovered by the police following an injunction obtained by the BPAS. 

David Smith, Deputy Commissioner and Director of Data Protection, said:

‘Data protection is critical and getting it right requires vigilance. The British Pregnancy Advice Service didn’t realise their website was storing this information, didn’t realise how long it was being retained for and didn’t realise the website wasn’t being kept sufficiently secure. But ignorance is no excuse. It is especially unforgiveable when the organisation is handing information as sensitive as that held by the BPAS. Data controllers must take active steps to ensure that the personal data they are responsible for is kept safe. There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it is subject to up-to-date and effective security measures.’

The investigation found that as well as failing to keep the personal information secure, the BPAS had also breached the Data Protection Act by keeping the call back details for five years longer than was necessary for its purposes.

The full monetary penalty notice is available here.