The UK’s Information Commissioner has today announced that it has imposed the first monetary penalties for serious breaches of the Data Protection Act. The Commissioner’s powers to impose fines of up to £500,000 went live on 6 April 2010, as reported in our previous post here. The circumstances in which fines may be issued and the factors which will influence the ICO’s exercise of its powers are set out here .  Since then, privacy pundits and data controllers alike have been waiting with baited breath to see who would be the first to incur the new fines. On this occasion, the ICO has chosen to make an example of organisations in both the public and private sector.
In the public sector “category”, a fine of £100,000 goes to Hertfordshire County Council for two incidents involving the faxing of highly sensitive details of child abuse matters and care proceedings – by a childcare litigation unit – to the wrong recipients. The Commissioner commented that it was “difficult to imagine information more sensitive than that relating to a child sex abuse case“. The fact that there were two similar incidents in a very short space of time, and that the Council did not take steps to prevent the breach recurring, also contributed to the high level of the fine.
In the private sector, a fine of £60,000 goes to employment services company A4e Limited over the loss of an unencrypted laptop. The loss or theft of laptops and other devices feature regularly in the ICO’s enforcement notices, and undertakings are often the ICO’s enforcement weapon of choice to punish data controllers for lax security practices. However, in this instance the ICO has decided that a fine is appropriate in view of the number of individuals whose data was compromised (24,000 users of community legal advice services) and that fact that the risk could have been avoided easily, by encrypting the data.
The laptop related fine may give many organisations cause to think “there but for the grace of God…” If nothing else, it should send in house lawyers and CIOs rushing to check that their organisations’  practices on data security really do measure up to the ICO’s best practice guidance.
Privacy practitioners will doubtless be picking over the detail of both the Hertfordshire and the A4e penalty notices to see what more we can glean about the ICO’s likely approach to fines for future breaches. Datonomy would love to hear the reaction from its readers and overseas correspondents to today’s momentous UK news!

Leave a Reply

Your email address will not be published. Required fields are marked *