BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

 

Early in the year, the Office received calls from two individuals reporting that there were credit card receipts littering a housing estate. The individuals had collected some of the receipts and were able to identify the retailer and the branch involved. We immediately contacted the retailer to advise them of the matter and to ensure that the retailer immediately sent staff to the area to recover the receipts.

The Retailer later notified this Office that the issue occurred when an envelope containing customer signed credit card receipts was put out for recycling rather than being securely destroyed. The envelope was then left out overnight in the store’s recycling bin. It is assumed that a passer-by searched through the bin, found and took the envelope. The individual then discarded the contents of the envelope a distance away from the store.

 

The Retailer, in an effort to recover the credit card slips, had staff search the locality in which the slips were seen and call to houses to recover any slips that may have been collected by individuals. The Retailer retrieved 500 credit card slips and was able to determine the period in which the relevant purchases had been made. We queried the total number of slips that were collected by the Retailer in this period.

 

It was determined that there was a balance of 200 receipt slips unaccounted for. Of the 500 recovered by the Retailer, many had been damaged by the inclement weather at the time and the details of the card holder could not be identified.

 

In dealing with such data security breaches, this Office employs a three-pronged approach. Firstly, we recommend that the affected individuals be notified of the matter. Secondly, the data controller should take steps to recover / secure the data. Finally, the data controller must put in place procedures to prevent a repeat of the issue.

 

In this case, the Retailer would not have the contact details of the affected individuals, nor was it in a position to identify all the affected individuals. The Retailer therefore contacted its service providers who process the credit and debit card payments. The card processing companies were able to identify the 700 customers involved. It was not appropriate for the card processing companies to supply the contact details to the Retailer and the card processing companies stated that in circumstances such as this it was their practice to monitor accounts for potential fraudulent activity, but not notify the cardholders directly. It was therefore agreed to proceed on this basis, the Retailer bearing all charges associated with this monitoring.

 

The Retailer, in attempting to secure the data, assigned considerable resources to searching the area in which the receipts slips were discarded and canvassing local houses. As noted above, this resulted in 500 of the 700 slips being recovered.

 

The Retailer notified my Office of the new procedures it was employing to prevent a repeat of this incident. A review of all confidential information held in stores was carried out and a special collection was arranged from all stores for the disposal of such information. A notification was issued to all staff reminding them of the need to securely store or destroy such confidential material. The Retailer’s Data Protection Policy and disposal policy were also updated.

 

We had also identified that the receipts being printed by the Retailer contained the full card number and start and expiry date of the card. We brought this issue to the attention of the Retailer, raising concerns with such a practice. The Retailer confirmed to this Office that it was changing its practice and future receipts would be printed with only part of the card number visible.