This post was also written by Nick Tyler.
The UK data protection regulator, the Information Commissioner’s Office (ICO), announced today the imposition of monetary penalties against two organisations for serious breaches of the Data Protection Act. This is the first time the ICO has used its new enforcement powers since they came into effect in April this year.
The monetary penalties signal a step-change in the UK data protection regulator’s approach to enforcement and will see the heat turned up now for those that fall foul of the law through poor, negligent or non-existent personal information handling practices.
Details of the incidents make sobering reading, both because of the seemingly mundane nature of the breach and the risk of harm to the individuals concerned. In both cases the organisations self-reported the breaches to the ICO in line with ICO guidance and best practice. Both incidents occurred in June 2010 so it took the ICO less than six months to impose the penalties. In the future, the process may take less time than that.
In the first and more serious case, the childcare litigation unit of a local governmental authority mistakenly sent faxes containing highly sensitive information about a child sex abuse case to a member of the public and in separate childcare proceedings to a barristers’ chambers unconnected with the case. The intended recipients were the barristers instructed in the sex abuse case and, in the case of the childcare proceedings, a local court. The ICO imposed a penalty of £100,000 GBP on the local authority responsible, Hertfordshire County Council. What made this matter worse was that after the first incident procedures were not tightened up sufficiently to prevent the second incident happening less than two weeks later.
While the use of fax machines appears increasingly outmoded these days, it serves as a warning shot when it comes to more common forms of communication – for example, misdirected email and attachments sent as a result of careless use of the “Auto Complete” function.
The other case is typical of data losses that happen every day – a lost or, as here, stolen laptop. Crucially in this case, and somewhat surprisingly given the information it contained (including income level and information about criminal allegations), the laptop was not encrypted. That simple fix would not have put the 24,000 individuals affected at risk. The organisation involved, an employment services company, merely needed to take the reasonable precaution of placing encryption software on the laptop prior to issuing it to a home-based employee. The company involved, A4e, notified the people affected after informing the ICO of the breach. A4e was fined £60,000 GBP.
Announcing the fines, the Information Commissioner, Christopher Graham warned: “These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to £500,000 GBP.”
The lesson for organisations is that cooperation with the ICO may still lead to fines if policies are either not in place or adhered to. One also wonders whether the ICO is starting to apply the proposed principle of accountability when investigating an organisation’s breach of the Data Protection Act and issuing fines as a way of “reinforcing the responsibility of data controllers”.
See our prior blog post here.