The Information Commissioner’s Office (ICO) has this week served Ealing Council and Hounslow Council with fines of £80,000 and £70,000 respectively for serious breaches of the Data Protection Act (DPA) following the loss of two unencrypted laptops containing sensitive personal data.
Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. Personal details of 1,700 individuals were lost when the laptops were stolen from an employee’s home. The laptops were password protected but unencrypted – in breach of both councils’ policies on encryption.
Ealing Council was found to be in breach of the DPA by issuing an unencrypted laptop in breach of its own data security policy. The ICO also found that the council had insufficient checks in place to ensure that the relevant policies were being complied with and were understood by staff. Hounslow Council was found to be in breach of the DPA by failing to have a written contract in place with Ealing Council.
Since the ICO was given powers to impose fines of up to £500,000 in April 2010, it has to date served four monetary penalties – and three of these relate to loss of unencrypted laptops. A similar incident last year led to a £60,000 fine for firm A4e Limited, as Datonomy reported here. In its statement this week, the ICO emphasised that where personal data is concerned password protection for portable devices is not enough.
Following the incident both councils are said to have put in place improved data security policies and are considering an audit by the ICO.