First Data Breach ‘Fines’

November 24, 2010

The Information Commissioner has served two organisations with monetary penalty notices for serious breaches of the Data Protection Act.

The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.

The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

The Hertfordshire County Council breaches occurred in June 2010 when employees in the council’s childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner’s Office (ICO). The first misdirected fax was meant for barristers’ chambers and was sent to a member of the public. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach. The second misdirected fax, sent 13 days later by another member of the council’s childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals’ opinions. The fax was mistakenly sent to barristers’ chambers unconnected with the case. The intended recipient was Watford County Court.

The Commissioner ruled that a monetary penalty of £100,000 was appropriate, given that the Council’s procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress. After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.

The A4e data breach also occurred in June 2010 following the company issuing an unencrypted laptop to an employee for the purposes of working at home. The laptop contained sensitive personal information when it was stolen from the employee’s house.

The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. An unsuccessful attempt to access the data was made shortly after the laptop was stolen. Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence. A4e reported the incident to the ICO. The company subsequently notified the people whose data could have been accessed.

The Commissioner ruled that a monetary penalty of £60,000 was appropriate, given that access to the data could have caused substantial distress. A4e also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

Information Commissioner, Christopher Graham, said:

‘It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data. These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.’  

Kenneth Mullen, partner at Withers LLP commented:
‘Until now, financial sanctions for breach of UK data protection law were rare and had been seen as reasonably weak. However, with these decisions, the game has changed significantly. The Information Commissioner has said he wants to send a “strong message” to organisations. One thing is clear – these penalties are unlikely to be the last. Organisations must take privacy compliance across their business very seriously particularly when handling sensitive or financial data. The consequences of ignoring data protection in the UK are going to become considerably more expensive.’

Also commenting on the fines, Stewart Room, partner at Field Fisher Waterhouse, said:

‘For so long the ICO has been the weak man of Europe as far a privacy regulation is concerned. However, through these fines the ICO now joins the ranks of one of the continent’s toughest regulators. It provides a stark warning to companies that they face tough regulatory action, associated bad publicity and reputational damage if they expose confidential personal data to the risk of theft, loss or miscommunication.’

Stewart added that the fining of Hertfordshire County Council is a bold move in times of public sector cutbacks:

‘Council tax payers in Herts will be entitled to be angry that their hard-earned money is being paid to compensate for regulatory failures, particularly when the issue at the heart of the case – misdirecting of faxes – is the kind of problem that data controllers should be on top of. In addition, the fining of A4e following the theft of an unencrypted laptop tells organisations that they will face financial penalties for the acts of criminals. Organisations therefore need to ensure that their risk assessments cover malevolent and opportunistic threats as well as the threats caused by mishaps and accidents.’

Full details about the monetary penalty for Hertfordshire County Council are available on the ICO website here. Full details of the monetary penalty for A4e are available on the ICO website here.