Eight credit agreements completed by PC World customers were disposed of in a skip by the retailer’s employees, according to the Information Commissioner’s Office (ICO).
DSG, parent company of PC World, was today found guilty of breaching the Data Protection Act and given a warning by the ICO.
Credit card details and addresses were clearly visible on the discovered documents putting those customers in danger of identity and bank fraud.
Mick Gorrill, Head of Enforcement at the ICO, said: “Any organisation collecting and holding personal information needs to ensure that information is kept and disposed of safely and securely.
“This is an important principle of the act. Making sure data is disposed of securely and not keeping information for longer than is necessary can help to prevent information falling into the wrong hands.
“Staff need to be aware of policies and it is essential they receive appropriate training to follow them.”
John Browett, DSG’s CEO, has signed an agreement to the effect that nothing like this will be allowed to happen again. Staff will be retrained and procedures reviewed and so long as there is no repeat of the incident the ICO will take no further action.
Section 4 of the Data Protection Act states that it is the duty of a data controller, in this case DSG, to ensure that its customers’ personal details are protected.
DSG’s own compliance procedures require staff to send personal details in sealed containers to a central facility for secure shredding but poorly trained staff failed to do so on this occasion.