First data protection fines issued (£60,000 in Hull/Leicester and £100,000 in Hertfordshire)
The Information Commissioner has used his new finingpowers for the first time. The fines, known as monetary penalties,have been issued in connection with data protection breachesarising in Hull, Leicester and Hertfordshire.
Two substantial fines have been issued. An employmentservices company was fined £60,000 for losing a laptop whichcontained unencrypted information relating to community legaladvice centres in Hull and Leicester. The laptop containedinformation about people who had used the centres, including names,dates of birth, postcodes, employment status, income level,information about alleged criminal activity and whether anindividual had been a victim of violence.
The laptop was issued to an employee for use at home and itwas stolen from that home. The company reported the incident to theInformation Commissioner and notified the people whose data hadbeen lost. The Information Commissioner felt that a monetarypenalty of £60,000 was appropriate, given that access to the datacould have caused substantial distress. The company also did nottake reasonable steps to avoid the loss of the data when it issuedthe employee with an unencrypted laptop, despite knowing the amountand type of data that would be processed on it.
In issuing the fine the Information Commissionersaid:
"The laptop theft... warranted nothing less than a monetarypenalty as thousands of people's privacy was potentiallycompromised by the company's failure to take the simple step ofencrypting the data".
The Information Commissioner has previously made clear thatnothing short of encryption will do when it comes to protectinginformation held on mobile devices such aslaptops.
Hertfordshire County Council was fined a higher amount of£100,000 when employees in its Childcare Litigation Unitaccidentally sent faxes containing highly sensitive personalinformation to the wrong recipients, twice within two weeks. Thefaxes related to child abuse and care proceedings. The Councilreported the breaches to the Information Commissioner andsubsequently obtained a court injunction prohibiting disclosure ofthe facts of one of the court cases.
The Information Commissioner ruled that a fine wasappropriate given that the Council's procedures failed to stop twoserious breaches taking place where access to the data could havecaused substantial damage and distress. After the first breachoccurred, the Council did not take sufficient steps to reduce thelikelihood of another breach occurring.
Tom Morrison, a Partner in Rollits' Commercial Group,comments:
"The Information Commissioner is sending a message withthese fines. He wants all organisations which process personalinformation - which in reality means all organisations - toappreciate that a failure to comply with the Data Protection Actcan have serious financial consequences as well as causing damageto reputation. There are also a range of criminal offences on thebooks, which can in some circumstances apply to an organisation'sofficers personally as well as the organisationitself.
"Both of these cases show how everyday activities can haveserious and unintended consequences for an organisation, its staffand the individuals whose personal information may be compromised.Every business, charity and public sector organisation shouldexamine their procedures and ask the question "are we sure thatthis could not happen to us"? In particular, are procedures inplace to minimise the risk of any laptops being stolen and, moreimportantly, if one is stolen, will the thief be able to accesspersonal information held within it?
"Laptops can easily be insured, but once personalinformation is lost it is expensive, difficult and in some casesnot possible to undo the damage caused. Every IT team across thecountry should be making sure that mobile devices are properlyencrypted, and their management teams should be supporting thoseefforts not least because the senior people within an organisationcan in some situations have personal liability for a dataprotection breach. On a practical level, any organisation whichprovides employees with laptops should identify whether informationreally needs to be held on that laptop or whether the laptop shouldbe used to connect to a secure service hosted remotely. When securefacilities are provided, either in terms of encryption or arrangingremote access, employees need to be trained in how to use thosefacilities properly and the organisation needs to be able todemonstrate that the training has taken place and is refreshed whenappropriate.
"In terms of misdirected faxes and emails, are procedures inplace to minimise the chance of a fax being sent to the wrongrecipient, are they being monitored to detect if they fail and canthose procedures and the monitoring be demonstrated to theInformation Commissioner's satisfaction should those proceduresfail despite the organisation's best efforts?!"
If you are unsure as to how the Data Protection Act affectsyour organisation please call Tom Morrison on 01482 323239 or firstname.lastname@example.org.
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.