New fines issued by the ICO

Anna Soilleux

The Information Commissioner’s Office (ICO) has this week served Ealing Council and Hounslow Council with fines of £80,000 and £70,000 respectively for serious breaches of the Data Protection Act (DPA) following the loss of two unencrypted laptops containing sensitive personal data.

Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home.  Personal details of 1,700 individuals were lost when the laptops were stolen from an employee’s home.  The laptops were password protected but unencrypted – in breach of both councils’ policies on encryption.

Ealing Council was found to be in breach of the DPA by issuing an unencrypted laptop in breach of its own data security policy.  The ICO also found that the council had insufficient checks in place to ensure that the relevant policies were being complied with and were understood by staff.  Hounslow Council was found to be in breach of the DPA by failing to have a written contract in place with Ealing Council.

Since the ICO was given powers to impose fines of up to £500,000 in April 2010, it has to date served four monetary penalties – and three of these relate to loss of unencrypted laptops.  A similar incident last year led to a £60,000 fine for firm A4e Limited, as Datonomy reported hereIn its statement this week, the ICO emphasised that where personal data is concerned password protection for portable devices is not enough. 

Following the incident both councils are said to have put in place improved data security policies and are considering an audit by the ICO.

2 thoughts on “New fines issued by the ICO”

  1. The Information Commissioner’s Office (ICO),the United Kingdom’s data regulator, has announced tough new powers designed to fine organisations responsible for security breaches which are likely to come into effect on 6 April 2010.

    From that date forward, fines of up to £500,000 can be imposed on organisations for what are considered serious breaches of the UK’s Data Protection Act 1988
    In order for the fine to be levied, “the Information Commissioner must be satisfied that there has been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it.”

    The ICO provided examples of when the new powers will be used, such as when customers face identity theft following a data breach or when an organisation collects data for a competition but then uses the entrant’s details for other purposes. The legislation outlines that an enforcement notice can be issued at the same time as a fine.

    Historically enforcement notices that were served required a corporation to encrypt laptops after a breach, change its marketing practices or take other compliance measures.

    The new powers are likely to strengthen compliance requirements for UK and Multinational organisations and as a result drive further demand for Application, Endpoint and Email Security Solutions across the Private and Public Sector.

    Regulators, both in Europe and the US, have maintained that corporations should have an incident plan in place before they experience a breach, as well as take steps to minimize the risk of a breach happening. The ICO’s new powers indicate there is likely to be no respite in regulatory activity in this area in 2010.

Leave a Reply

Your email address will not be published. Required fields are marked *