Substantial fines levied by Information Commissioner following Data Protection Act breaches

 The Information Commissioner (“ICO”) has announced the details of two fines to be imposed on organisations for breaches of the Data Protection Act (“DPA”), the first to be imposed under the new penalty regime (click here for details), which came in to force on 6 April 2010. The announcement of the fines is seen by commentators as an important step in the development of the new regime and a timely reminder for organisations to ensure they comply with the DPA.

The first reported incident involved Hertfordshire County Council’s childcare litigation unit, which was fined £100,000, as a result of two separate incidents within a two week period where employees had faxed highly sensitive information to the wrong recipients. The monetary penalty was imposed because the Council’s procedures had failed to prevent these very serious incidents taking place. Access to the personal data by the unintended recipients could have caused substantial damage and distress to the individuals concerned, which included children.

The second fine, of £60,000, was made against A4e, following the theft of a laptop that contained sensitive personal data from an employee’s home. The laptop contained the data of 24,000 people relating to their names, dates of birth, salaries and post codes, in addition to other information. A4e had failed to take reasonable steps to ensure that the data stored on the laptop was encrypted, despite knowing the type and amount of data on the laptop. Again, the ICO levied the fine because the breach of the DPA by A4e could have caused substantial loss to the individuals whose information was on the laptop at the time of the theft.

There are two clear messages arising from the ICO announcement. The first is they must implement comprehensive procedures to prevent similar incidents happening in their own organisations. And secondly, the importance of acting fast and taking appropriate advice in the event of a suspected breach of the DPA within their organisation. In all the circumstances referred to above, the organisations involved are said to have notified the ICO of the suspected breaches. If Hertfordshire County Council and A4e had not co-operated with the ICO, the ICO may have increased the fines imposed, up to a limit of £500,000. The risks of non-compliance with the DPA are now real and substantial. 
 
Written by Matthew Read, a Solicitor in the Nelsons Commerce and Technology group. To find out more about our Commerce & Technology group, click here.