On 24 November 2010 the Information Commissioner served two organisations with the first fines for serious breaches of the Data Protection Act.
The fines were issued to an organisation in the public sector and an organisation in the private sector.
Public Sector: Misdirected faxes
The first penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents in which council employees faxed highly sensitive personal information to the wrong recipients. The first fax, involving child sexual abuse, was meant for a barrister’s chamber but was sent to a member of the public. The second fax, sent 13 days later, contained information relating to care proceedings for three children was sent to barrister’s chambers unconnected with the case. Both incidents were reported by the Council to the Information Commissioner.
The Council was fined on the basis that its procedures failed to stop two serious breaches from taking place where access to the data could have caused substantial damage and distress. After the first breach, the Council failed to take sufficient steps to reduce the likelihood of another breach occurring.
Private Sector: Stolen Unencrypted Laptop
The second fine of £60,000 was issued to A4e, an employment services company, for the loss of an unencrypted laptop containing the personal information of 24,000 people who has used community legal advice centres in Hull and Leicester. The personal details recorded on the system included individuals full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
The laptop was issued to an employee for the purposes of working from home and was stolen from the employee’s house. Shortly after the laptop was stolen an attempt was made to access the information.
A4e reported the incident to the Information Commissioner and notified the people whose data could have been accessed.
A4e was fined on the basis that access to the data could have caused substantial distress and A4e had failed to take reasonable steps to avoid the loss of the data when it issued the employee an unencrypted laptop, despite being aware of the amount and type of data that would be processed on it.
The Information Commissioner, Christopher Graham, said that “these first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds”.
Power to fine
The Information Commissioner’s power to issue fines came into force in April 2010. The power arises when there has been a serious contravention of data protection principles by a data controller where the contravention was deliberate or the data controller knew, or ought to have known, of the contravention risk and that the contravention would be likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention.
Since the introduction of the power to fine, the Information Commissioner has been closely watched to see when the first fines would be issued. The Information Commissioner has been criticised for having a worse bark than bite for his failure to use the new power. Now that the first fines have been levied we can expect more to follow.
By taking action on these cases the Information Commissioner is providing guidance on what is likely to lead to a fine. In these cases it appears to be a failure to take adequate care, firstly by failing to react to a serious mistake and implant measures to prevent it happening again and in the second case, by failing to take basic security precautions.
These concerns reflect those of the Financial Services Authority (“FSA”), which has well established powers to issue fines to those in regulated sectors. The FSA has levied a number of fines against firms for failing to have adequate systems in place to protect customers’ confidential details. In particular, in August this year Zurich Insurance was fined £2.75 million, the largest single fine to date, for failing to take reasonable care to ensure it had effective systems and controls in place to manage the risks relating to security of customer data resulting from outsourcing arrangements.
Organisations, as data controllers, need to careful not to be careless with personal data. This means ensuring that data is kept adequately secure, using encryption and limiting access to personal data. Organisations should be aware that security breaches are not the only way to contravene the data protection principles, data should also be handled in a fair way, it should not be kept for longer than necessary, should not be excessively detailed or transferred outside of Europe without ensuring adequate protection.
In both these cases the incidents were reported to the Information Commissioner. This serves as a reminder of the importance, in the case of breaches, of considering whether it is necessary to report to the Information Commissioner. The Information Commissioner’s Office has warned that a failure to report may lead to tougher sanctions.
As the Information Commissioner has shown he is willing to use his powers, it is time for organisations to review their procedures to ensure they are not the next to be named and shamed and even fined.