Hertfordshire County Council (“HCC”) and A4e Limited (“A4e”) have received the first monetary penalties from the Information Commissioner (“IC”) for serious breaches of the Data Protection Act, both concerning the unintended disclosure of personal data. Under the Data Protection Act 1998 (the “Act”), the IC can serve a data controller with a monetary penalty notice if it is satisfied that there has been a serious breach of section 4(4) of the Act by the data controller, which was likely to cause substantial damage or distress.
HCC was fined £100,000 for sending faxes (on two separate occasions) containing personal information on a child sexual abuse case and details of child care proceedings to the wrong recipients.
The IC found that HCC had (as data controller) failed to take the appropriate organisational measures against unauthorised processing of personal data, and such failures had the potential to cause substantial damage and/or substantial distress to the data subjects whose unauthorised confidential and sensitive personal data was sent to a member of the public. The IC considered that the failure could have resulted in a court case being prejudiced, which again would have caused substantial upset to the data subject concerned.
The IC also found that because the two breaches occurred within a short space of each other, HCC had, after the first breach, the opportunity to put in place measures to safeguard against future data protection breaches.
A4e was fined £60,000 for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used the community legal advice centres in Hull and Leicester. The IC imposed this penalty because A4e had failed to take appropriate technical and organisational measures to avoid the loss of data when it issued the unencrypted laptop to its employee (even though it was fully aware of the nature of the information contained on the laptop), and the potential distress the breach could have caused to the data subjects.
In the monetary penalty notices, the IC highlighted certain measures to safeguard against the above-mentioned breaches, which included:
- only using the “auto dial” button on a fax machine instead of manually inputting the fax number, which could result in the wrong fax number being inputted;
- using a “ring ahead” procedure, which requires the member of staff to phone ahead and/or the recipient of the fax to immediately confirm safe receipt;
- the use of encryption and port control on all laptops/personal computers used by employees outside the office;
- providing all employees with information communications technology training; and
- reissuing all employees with copies of the relevant ICT policies and request confirmation from employees that they are processing data in accordance with such policies.
If your company/organisation holds and/or processes personal data then it is important you consider whether you need to implement all, or some, of the above measures to safeguard against future data protection breaches because as Christopher Graham (the IC) explained:
“these first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to £500,000”.
If you are unsure about whether your company/organisation has sufficient measures in place, please feel free to call Matthew Hattersley on 0113 336 3351 or Victoria Lethaby on 0113 336 3324. There is also useful guidance on the IC’s website, www.ico.gov.uk, including sector specific guides so you can check if there are any particular obligations that just apply to your sector. You can also call the IC’s helpline on 0303 123 1113, which is open 9.00 am to 5.00 pm, Monday to Friday.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.