First data protection fines issued (£60,000 in Hull/Leicester and £100,000 in Hertfordshire)

The Information Commissioner has used his new fining powers for the first time. The fines, known as monetary penalties, have been issued in connection with data protection breaches arising in Hull, Leicester and Hertfordshire.

Two substantial fines have been issued. An employment services company was fined £60,000 for losing a laptop which contained unencrypted information relating to community legal advice centres in Hull and Leicester. The laptop contained information about people who had used the centres, including names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence. 

The laptop was issued to an employee for use at home and it was stolen from that home. The company reported the incident to the Information Commissioner and notified the people whose data had been lost. The Information Commissioner felt that a monetary penalty of £60,000 was appropriate, given that access to the data could have caused substantial distress. The company also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

In issuing the fine the Information Commissioner said:

"The laptop theft... warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".

The Information Commissioner has previously made clear that nothing short of encryption will do when it comes to protecting information held on mobile devices such as laptops. 

Hertfordshire County Council was fined a higher amount of £100,000 when employees in its Childcare Litigation Unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients, twice within two weeks. The faxes related to child abuse and care proceedings. The Council reported the breaches to the Information Commissioner and subsequently obtained a court injunction prohibiting disclosure of the facts of one of the court cases.

The Information Commissioner ruled that a fine was appropriate given that the Council's procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress. After the first breach occurred, the Council did not take sufficient steps to reduce the likelihood of another breach occurring.

Tom Morrison, a Partner in Rollits' Commercial Group, comments:

"The Information Commissioner is sending a message with these fines. He wants all organisations which process personal information - which in reality means all organisations - to appreciate that a failure to comply with the Data Protection Act can have serious financial consequences as well as causing damage to reputation. There are also a range of criminal offences on the books, which can in some circumstances apply to an organisation's officers personally as well as the organisation itself.

"Both of these cases show how everyday activities can have serious and unintended consequences for an organisation, its staff and the individuals whose personal information may be compromised. Every business, charity and public sector organisation should examine their procedures and ask the question "are we sure that this could not happen to us"? In particular, are procedures in place to minimise the risk of any laptops being stolen and, more importantly, if one is stolen, will the thief be able to access personal information held within it? 

"Laptops can easily be insured, but once personal information is lost it is expensive, difficult and in some cases not possible to undo the damage caused. Every IT team across the country should be making sure that mobile devices are properly encrypted, and their management teams should be supporting those efforts not least because the senior people within an organisation can in some situations have personal liability for a data protection breach. On a practical level, any organisation which provides employees with laptops should identify whether information really needs to be held on that laptop or whether the laptop should be used to connect to a secure service hosted remotely. When secure facilities are provided, either in terms of encryption or arranging remote access, employees need to be trained in how to use those facilities properly and the organisation needs to be able to demonstrate that the training has taken place and is refreshed when appropriate.

"In terms of misdirected faxes and emails, are procedures in place to minimise the chance of a fax being sent to the wrong recipient, are they being monitored to detect if they fail and can those procedures and the monitoring be demonstrated to the Information Commissioner's satisfaction should those procedures fail despite the organisation's best efforts?!"

If you are unsure as to how the Data Protection Act affects your organisation please call Tom Morrison on 01482 323239 or email tom.morrison@rollits.com.

Posted on: 29/11/2010

This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.

Back to News articles
Back to News articles

Sign up to email news

Sign up to receive email updates and regular legal news from Rollits LLP.

Sign up