UK: First monetary penalties served for serious data protection breaches
The Information Commissioner today served two organizations with the first monetary penalties for what he characterized as serious breaches of the Data Protection Act.
The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
The Hertfordshire County Council breaches occurred in June 2010 when employees in the council’s childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner’s Office (ICO).
The first misdirected fax was meant for barristers’ chambers and was sent to a member of the public. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.
The second misdirected fax, sent 13 days later by another member of the council’s childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals’ opinions. The fax was mistakenly sent to barristers’ chambers unconnected with the case. The intended recipient was Watford County Court.
The Commissioner ruled that a monetary penalty of £100,000 was appropriate, given that the Council’s procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress. After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.
The A4e data breach also occurred in June 2010 following the company issuing an unencrypted laptop to an employee for the purposes of working at home. The laptop contained sensitive personal information when it was stolen from the employee’s house. That breach was previously reported here.
The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. An unsuccessful attempt to access the data was made shortly after the laptop was stolen. Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
A4e reported the incident to the ICO. The company subsequently notified the people whose data could have been accessed.
The Commissioner ruled that a monetary penalty of £60,000 was appropriate, given that access to the data could have caused substantial distress. A4e also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.
Information Commissioner, Christopher Graham, said:
“It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.
“These first monetary penalties send a strong message to all organizations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”