The Information Commissioner, Chris Graham, has today announced that he has served monetary penalty notices on two organisations for serious data security breaches. It is the first time that the Commissioner has exercised the new powers to serve monetary penalty notices, which came into force in April this year, and the Commissioner hopes that they will send a “strong message” to organisations handling personal data that they risk being fined if they fail to take the necessary care to protect the information that they hold about individuals.
Hertfordshire County Council was issued with a fine of £100,000 for two serious incidents in which the Council’s childcare litigation unit sent two faxes to the wrong recipients. The first fax contained sensitive information about a child abuse case; the second contained information relating to the care proceedings of three children as well as details of previous convictions and domestic violence records of other individuals. Clearly, the fact that the second incident happened at all was seen as an aggravating factor since it suggested that the measures adopted by the Council to prevent a recurrence of the first incident were inadequate.
In the Commissioner’s view, the sensitive nature of the information involved was such that if that information was to be faxed, the Council should have ensured that it had a ‘phone ahead’ and ‘confirmation of receipt of fax’ process in place at the very least.
In the second case, A4e Limited was fined £60,000. The company operated Community Legal Advice Centres in Hull and Leicester for the Legal Services Commission. It issued one of its employees with a laptop for home working. The laptop was stolen from the employee’s home. It contained personal data and sensitive personal data relating to 24,000 legal advice centre clients – including the case type (for example, debt, welfare or employment), the name, postcode, date of birth and gender of the data subject together with whether or not the client was a lone parent, care leaver, carer, a victim of violence, ex-offender, young offender or gypsy traveller. While the laptop had password protection, it was unencrypted and the Commissioner also noted that the company had not provided the employee with a cable lock or other security device to secure the laptop. Furthermore, the fact that the company had policies in place which required data secured on laptops to be encrypted suggested that it was aware of the risks of a data security breach, but had not actually ensured they had been addressed.
The most striking feature of both cases is simply the routine nature of the security incidents. Neither involved high-tech data security theft. In each case, simple technical and organisational measures could have prevented either of these incidents (or at least mitigated the effects of them).
Reading the monetary penalty notices themselves, it is evident that the Commissioner has chosen to clearly document the reasoning he has adopted in determining that a fine is appropriate and within the scope of his powers. The Commissioner is also likely to have one eye on the potential for an aggrieved organisation to apply for a judicial review of his decision – although that appears unlikely in either of these cases. Both of the organisations themselves seem to have accepted the Commissioner’s findings and the fines they have been given.
The Commissioner has the power to levy fines of up to £500,000 and these fines are well below that maximum level. Not only will he want to give himself plenty of headroom to increase the level of fines for cases that he deems to be more serious than this, but he will also want to see if the message sinks in that he will use his powers. Only time will tell – but both of these organisations will today be facing up to the reputational damage that the publicity generated by these fines has caused, which may ultimately be more costly than the fines themselves.
On November 24, 2010