Equifax has been fined the maximum £500,000 penalty for its breach last year which exposed data belonging to 146 million people around the world, including 15 million in the UK.
The ICO investigation found that, although the information systems in the US were compromised, Equifax Ltd was responsible for the personal information of its UK customers. The UK arm of the company failed to take appropriate steps to ensure its American parent Equifax Inc, which was processing the data on its behalf, was protecting the information.
Multiple failures at the credit reference agency led to personal information being retained for longer than necessary and vulnerable to unauthorised access, the ICO found.
The company contravened five out of eight data protection principles of the Data Protection Act 1998 including, failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data.
The penalty imposed represents the maximum allowed under the previous legislation. The investigation was carried out under the Data Protection Act 1998, as the failings occurred before the rather more strict GDPR came into force in May of this year.
Printed Copy:
Would you also like to receive CIR Magazine in print?
Data Use:
We will also send you our free daily email newsletters and other relevant communications, which you can opt out of at any time. Thank you.
YOU MIGHT ALSO LIKE