Monetary penalties for “serious” data protection breaches
Two organisations, one a county council, have been served the first monetary penalties for serious breaches of the Data Protection Act 1998.
Organisations can be fined up to £500,000 for serious breaches of the 1998 Act. Information Commissioner, Christopher Graham used these powers last week for the first time, fining Hertfordshire County council £100,000 and employment services company, A4e £60,000.
Graham said: “These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business.”
Hertfordshire’s data breach concerned two separate instances of faxes sent to the wrong person by members of the childcare litigation unit.
The first fax involved highly sensitive details of a child sexual abuse case then before the courts. The second fax contained details of child care proceedings and domestic violence records.
Ruling the council failed to take sufficient steps to prevent the second mistake occurring, Graham said it “was difficult to imagine information more sensitive”.
A4e’s breach happened when an employee had their laptop stolen—it contained unencrypted personal information of more than 24,000 people who had used community legal advice centres in Hull and Leicester. Graham ruled A4e had breached the Act by failing to encrypt the laptop.
Both organisations reported the breach to the ICO.
Tom Morrison, partner, Rollits, says: “Both of these cases show how everyday activities can have serious and unintended consequences for an organisation, its staff and the individuals whose personal information may be compromised. Every IT team across the country should be making sure that mobile devices are properly encrypted, and their management teams should be supporting those efforts not least because the senior people within an organisation can in some situations have personal liability for a data protection breach.
“On a practical level, any organisation which provides employees with laptops should identify whether information really needs to be held on that laptop or whether the laptop should be used to connect to a secure service hosted remotely.”
