On 24 November the Information Commissioner served two
organisations with the first monetary penalty notices for serious
breaches of the Data Protection Act. The Information
Commissioner's Office ("ICO") has had the power to
issue fines of up to £500,000 for such breaches since 6 April
2010.
The ICO has already made it clear that these first penalty notices
are "likely to set a precedent by which future notices
will be judged". As such, organisations should evaluate
their own technical and organisational procedures, and if necessary
take steps to avoid similar breaches.
Hertfordshire County Council was one of the organisations to
receive a monetary penalty notice. The fine was for £100,000
in respect of two breaches that happened in June this year. The
breaches resulted from the Council's childcare litigation unit
sending two faxes to the wrong recipients on two separate occasions
within a two week period. The faxes contained information relating
to a child abuse case and care proceedings.
The ICO served a monetary penalty on the basis that the Council had
failed to prevent two serious breaches of the Data Protection Act
where the disclosure of information risked causing substantial
damage and distress.
Christopher Graham, the Information Commissioner, said:
"It is difficult to imagine information more
sensitive than that relating to a child sex abuse
case".
The second organisation to be served with a fine was employment
services company A4e. A4e were fined £60,000 when an
unencrypted laptop that had been provided to an employee was stolen
from the employee's home in a burglary. The laptop contained
personal information relating to 24,000 people who had used
community legal advice centres in Leicester and Hull.
The information that was lost included names, dates of birth,
postcodes, employment details, income levels, information about
alleged crimes and details of whether individuals had been victims
of violence. Some of the information was coded, but the key to the
codes was set out in a separate document stored on the same
laptop.
A monetary penalty was considered to be appropriate because A4e
had issued an employee with a laptop containing large amounts of
unencrypted information, despite being aware of the personal nature
of that information, and because access to that information could
have caused substantial distress. It was also relevant that A4e had
failed to provide the employee with a lock to secure the laptop at
home.
Organisations should be aware that the ICO's policy is to take
enforcement action where laptops containing personal data do not
have adequate protection and are lost or stolen. Whilst the
financial consequences of receiving a monetary penalty notice will
be of concern, in many cases it is reputational damage that will be
the most severe consequence.
If you require any further information about this matter or advice
on any other data protection issues, please contact us on the
details provided below.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 29/11/2010.