The Information Commissioner has served the first monetary penalties for serious breaches of the Data Protection Act 1998 (DPA).
In the first case, Hertfordshire County Council was issued with a penalty of £100,000 for two serious incidents where Council employees faxed highly sensitive personal information to the wrong recipients. The first concerned information meant for a barrister, regarding a case of child sexual abuse that was before the courts. The fax was sent in error to a member of the public. The Council subsequently obtained a court injunction prohibiting disclosure of the facts of the court case or the circumstances of the data breach. The second breach occurred a few days later when another member of the Council’s childcare litigation unit sent sensitive information that was intended for Watford County Court to a set of barristers’ chambers unconnected with the proceedings to which the information related.
The Council reported both breaches to the Information Commissioner’s Office (ICO). The Commissioner ruled that a penalty of £100,000 was appropriate as the data breach could have caused substantial damage and distress and the Council had failed to take steps to prevent a recurrence of the mistake.
In the second case, a monetary penalty of £60,000 was levied on an employment services company, A4e, after the loss of an unencrypted laptop containing personal information regarding 24,000 people who had used community legal advice centres in Hull and Leicester. The laptop was stolen from the home of one the company’s employees. A4e reported the loss of data to the ICO and subsequently notified those whose data could have been accessed. The ICO found that it had failed to take reasonable steps to prevent the loss of the data.
The Information Commissioner, Christopher Graham, said, “These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business.”
The power to levy penalties for serious breaches of one or more of the eight principles in the DPA came into force on 6 April 2010. The maximum an organisation can be fined is £500,000.
Click here for guidance on the eight Data Protection Principles.