For the first time, the UK data protection regulator has exercised its new powers to impose eye watering fines on personal data abusers. The £500,000 “jackpot” has not been “won” so far, but the penalties will still concentrate minds wonderfully, reports Joseph Kitchingham.
Who: Information Commissioner’s Office
When: November 2010
Law stated as at: 2 December 2010
The Information Commissioner's Office (ICO) was given the power to issue fines of up to £500,000 back in April 2010, but has until now declined to exercise it. It has now finally used its power to fine organisations for breaching the Data Protection Act (DPA), stinging Hertfordshire County Council for £100,000 and an employment services company A4e for £60,000.
A4e was fined for the loss of an unencrypted laptop that contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. The data breach occurred in June 2010 when the unencrypted company laptop was stolen from an employee's home. After reporting the incident to the ICO, the company notified the people whose data could have been accessed.
Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence. An unsuccessful attempt to access the data was made shortly after the laptop was stolen, the ICO said.
The ICO ruled that a fine of £60,000 was appropriate, given that access to the data could have caused substantial distress. It also argued that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.
A second penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. One of the faxes concerned a child sexual abuse while the other contained details of care proceedings.
Christopher Graham, the Information Commissioner, said in a statement:
"The A4e laptop theft, while less shocking than the sex abuse case, also warranted a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data."
Mark Fullbrook, director UK and Ireland at Privileged Identity Management (PIM), Cyber-Ark said of the fines:
"The industry has been nervously waiting to hear which organisation would first fall victim to the ICO's increased powers, and now we know. People will always need to share information, that isn't going to change. So the onus is on organisations establishing solutions that can effectively manage this risk while providing a secure environment in which to share data."
Why this matters:
These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you not only do substantial harm to individuals and the reputation of your business, you also face a hefty fine. Rumour has it that others are in the firing line and it remains to be seen whether we will see more careless data controllers receive an unwanted early Christmas present.