On 24 November 2010 the Information Commissioner served two organisations with the first fines for serious breaches of the Data Protection Act 1998, since its enforcement powers came into effect in April 2010.
The first penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents in which council employees faxed highly sensitive personal information, including information relating to a child sex abuse case, to the wrong recipients.
The second fine of £60,000 was issued to A4e, an employment services company, for the loss of an unencrypted laptop containing the personal information of 24,000 people who had used community legal advice centres in Hull and Leicester.
Whilst these fines are far from the maximum monetary penalty of £500,000 it signals a change in approach for the Information Commissioner’s Office, which has traditionally been reluctant to use these types of penalties. However, it still seems that fines will only be imposed in cases where there are serious violations of the Data Protection Act. We expect to see the Information Commissioner using these powers more freely and issuing more fines going forward.