Hertfordshire County Council and employment services company A4e have been fined under powers granted to the Information Commissioner to deal with serious breaches of the Data Protection Act. Fines of up to £500,000 can be imposed by the Commissioner.
In June of this year faxes containing highly sensitive information were faxed by the childcare litigation unit to the wrong recipients on two separate occasions by employees of Hertfordshire Council.
The first fax was sent to a member of the public instead of a barrister and resulted in the Council winning a court injunction to prevent any of the information in the fax being made public.
Just 13 days later, the childcare litigation unit sent another fax to the wrong recipient, this time to the office of an unconnected barrister rather than Watford County Court. This fax contained information about care proceedings relating to three children; the previous convictions of two people; domestic violence records and care professionals’ opinions.
"The Commissioner ruled that a monetary penalty of £100,000 was appropriate, given that the Council’s procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress," said a statement from the Information Commissioner's Office (ICO). "After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring."
Employment services company A4e gave an employee a laptop containing personal information on 24,000 people to take home. The computer was not encrypted.
The laptop was stolen from the employee's home and an unsuccessful attempt was made to access the information, which included details of individuals' names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence, the ICO said.
"The Commissioner ruled that a monetary penalty of £60,000 was appropriate, given that access to the data could have caused substantial distress," said the ICO statement. "A4e also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it."
"It is difficult to imagine information more sensitive than that relating to a child sex abuse case," said Information Commissioner Christopher Graham. "I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks."
"The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data," he said.
"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds," said Graham.
"These fines represent a significant but long anticipated change of direction in the ICO’s enforcement strategy," said William Malcolm, a data protection law specialist at Pinsent Masons, the law firm behind OUT-LAW.COM. "Whilst the ICO is likely to continue to act reasonably and proportionately when dealing with breaches of the Data Protection Act, time is up for those organisations guilty of what the ICO sees as the most serious breaches."
"Whilst these breaches are serious they are not unique or unusual. Many organisations will be looking at the process failings in these cases and thinking critically about their own organisational risk," said Malcolm.
The Information Commissioner was given the power to fine organisations in April of this year. In guidance about when it would use the powers, the ICO said that fines should be levied when actions are deliberate, involve an ignoring of risk and when they cause real distress.
"The Commissioner may impose a monetary penalty notice if a data controller has seriously contravened the data protection principles and the contravention was of a kind likely to cause substantial damage or substantial distress," the guidance said. "In addition the contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it."