Public sector organisations such as NHS bodies, police and local authorities have received fines in excess of £2 million over the last 18 months for serious breaches of the Data Protection Act. Despite public sector organisations holding what is often regarded as particularly sensitive information, a report published by the Information Commissioner’s Office (ICO) in October highlighted that private sector companies are far more aware of their obligation to protect people’s data and are outdoing the public sector when it comes to putting in place measures to ensure compliance with data protection rules.
A number of public bodies have been fined recently by the ICO as a result of sensitive information concerning child protection going astray. Plymouth City Council received a fine of £60,000 when a printing error led to three pages of a report which detailed allegations of child neglect being sent to the wrong family. The ICO said that practical steps to prevent such errors, such as installing PIN printing which would require staff to activate printers with a code, were required. Stoke on Trent City Council were fined £120,000 when an in-house solicitor sent information concerning the care of a child by email to the wrong address. Although the solicitor was in breach of the Council’s guidance, which required sensitive information to be sent through a secure network or be encrypted, the Council had not provided the legal department with the encryption software and had provided no relevant training.
The ICO received bad press when it fined the social care charity, Norwood Ravenswood Ltd. Sensitive information about the care of a number of young children was lost after one of the charity’s social workers had left documents outside a London home. The ICO stated that this mishandling of sensitive information could have been avoided had the charity trained the worker about data protection and provided guidance on how to send personal data securely.
It is not only the mishandling of documentation concerning child protection which has led to fines being dished out by the ICO. Although subject to an appeal over the size of the fine, the Scottish Borders Council received a fine of £250,000 when over 670 files relating to the pension records of former employees were found in a recycling bank in a supermarket car park.
Despite the majority of recent fines going to public sector organisations, some private sector companies have also fallen short of the standards required. Prudential were fined £50,000 when an administrative error regarding two customers’ accounts led to thousands of pounds finding its way into the wrong account. The error began in 2007 and was most likely due to the fact that the customers had the same first name, surname and date of birth. Despite the error being brought to Prudential’s attention by the customers, it was not until 2010 that Prudential took action to rectify the error.
Although the private sector is reported to have a good record in complying with data protection rules, last year, the financial sector was the sector for which the ICO received most public complaints about how their information was being handled, with almost 13,000 complaints in total. It is not just the monetary penalties which can damage businesses breaching data protection. Often the adverse publicity and the subsequent increased regulatory scrutiny can be more damaging. It is essential that businesses develop comprehensive organisation-wide programmes and inform customers about their commitment to data protection. Implementing an effective strategy will involve: adopting standards and procedures; developing a culture of compliance and a chain of command; ensuring adequate resources to comply with the procedures; provide training and take action to ensure standards are kept; and carry out periodic reviews of the strategy. This final point is essential, but often overlooked. In today’s modern society, the rapid development of social media and the changing ways in which we communicate means that data protection strategies can quickly become outdated and require change.
