This post was written by Nick Tyler.

In spite of impending cuts in the budgets of local government across the UK it is notable that the national data protection regulator, the ICO, has seen fit to hit two London Borough Councils with hefty fines for ineffective data security policies and practice.

It is bordering on the incredible in this day and age that they should have issued unencrypted laptops to their home workers, but what probably amounted to the ‘last straw’ from the ICO’s point of view was that the councils failed to follow their own policies, which specifically required encryption. Two such laptops were stolen from an employee’s home.

While there has been no evidence yet of access to, and compromise of, any of the personal details of 1,700 individuals (all clients of the councils’ ‘out-of-hours’ services), the ICO decided that a significant risk to those individuals’ privacy had resulted. This warranted the imposition of only the third and fourth such penalties since the ICO was given increased powers last year [see previous blog post on the first such penalties. ]

The London Borough of Ealing now faces a monetary penalty of £80,000 GBP while the London Borough of Hounslow must pay £70,000 GBP.

The ICO’s Deputy Commissioner, David Smith said:

“Of the four monetary penalties that we have served so far, three concern
the loss of unencrypted laptops. Where personal information is involved,
password protection for portable devices is simply not enough.

“The penalty against Hounslow Council also makes clear that an
organisation can’t simply hand over the handling of the personal
information it is responsible for to somebody else unless they ensure that
the information is properly protected.

“Both councils have paid the price for lax data protection practices. I hope
all organisations that handle personal information will make sure their
houses are in order – otherwise they too may have to learn the hard

The ICO’s press release goes on to say that “following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO.”

It is fundamental to any organisation’s compliance efforts that they not only say what they do and do what they say, but that they can prove it. These are clear examples of organisations failing to unearth, and control, bad data protection practices. That’s an accident waiting to happen and now the regulator is waiting in the wings to pounce, and bite!