This week, the ICO has fined Heathrow Airport Limited £120,000 for serious breaches of the Data Protection Act 1998. Whilst this decision is under the “old” data protection rules, it provides some helpful guidance from the ICO on what organisations should be doing to avoid such action by the ICO in the future.

Heathrow – what went wrong?

The ICO began investigating Heathrow Airport Limited after a member of the public found and viewed a USB memory stick which was not encrypted or password protected when this was lost by a member Heathrow Airport Limited’s staff.

The USB stick contained 76 folders and over 1,000 original files from Heathrow Airport Limited, only 1% of these files contained personal data. However, one of the files was a training video where the names, dates of birth, vehicle registrations, nationality, passport number and expiry date, roles and mobile numbers of 10 individuals (and some details of another 12-50 people) were visible on the video for around 3 seconds when the video accidentally captured an open ring binder containing the information.

The individual who found the USB stick took this to the press who took copies (and we understand have declined to return these copies, despite repeated requests from Heathrow Airport Limited) and subsequently released a story about the data breach, which was when the ICO became involved.

What did the ICO say?

At the time of the breach, the ICO held that Heathrow Airport Limited freely allowed staff to use removable media such as USB sticks to transport data but did not have adequate measures/protections in place to ensure that it remained in control of data which had been removed from its premises/servers.

Heathrow Airport Limited submitted that it had a number of policies, procedures and messages that were made available to staff regarding personal data and their use of removable media.

However, the ICO found that only around 2% of employees had received data protection training. Those who had received training were those who were deemed by Heathrow Airport Limited as being most at risk of exposure to personal data.


The ICO held that Heathrow Airport Limited had failed to take “appropriate technical and organisational measures” to prevent loss of data, which was in breach of the seventh data protection principle, namely:

  • they did not have in place any measures to prevent staff members downloading personal information onto unencrypted removable media;
  • they did not have any measures in place to disable users being able to download data;
  • they did not have measures in place to prevent staff members downloading personal data onto personal devices;
  • they did not have any way of finding out/recording how many devices were used to remove information from their systems;
  • they did not encrypt or password protect data on USB sticks;
  • they did not provide sufficient training to staff on data protection; and
  • they failed to monitor the implementation and adherence to policies and procedures around removable media.

Therefore, the ICO fined Heathrow Airport Limited £120,000 for the breaches.

Steps to Compliance

The ICO helpfully set out some measures that it would have considered reasonable in the circumstances for Heathrow Airport Limited to have in place at the time, namely:

  • encrypting removable devices;
  • controlling the number of removable devices used;
  • implementing procedures to ensure that personal data couldn’t be downloaded without permission;
  • measures in place to monitor compliance with policies/procedures; and
  • provision of adequate training.

The ICO made some specific comments about data protection training which are useful for other organisations when thinking about staff training. In the case of Heathrow Airport Limited it considered that 2% of staff (in this case 130 out of 6,500) was not sufficient to ensure staff were aware of obligations and requirements under data protection legislation. The ICO has made clear in guidance previously that data protection training for staff is key to compliance!

Key Takeaways?

Policies and procedures are of little value where staff are not trained in them and general data protection requirements!

How we can help

Here at MacRoberts, we have developed our own in-house training programme which covers the GDPR, which we offer to our clients to be utilised to train their own staff and assist in evidencing compliance with the new law.

We are able to offer clients two options:

(i)            Online GDPR training; and

(ii)           Bespoke face-to-face GDPR training for your organisation.

The online GDPR training is a simple way of showing compliance with the GDPR and ensuring all staff are aware of the changes to the law, and how they need to adapt their processes and procedures to ensure compliance with new obligations.

The training will:


·         raise awareness of the GDPR within your organisation;

·         highlight the main areas of change which may affect your staff;

·         ensure that all staff have the same understanding of data protection; and

·         provide evidence of your organisation’s commitment to data protection and complying with the GDPR.

If you would like to find out more about our online GDPR training modules, or our face-to-face GDPR training, please do not hesitate to contact a member of our Data Protection & Cyber Security team.