A law firm which offers more

Call us: 0113 246 0622

Information Commissioner hands out first monetary penalties for breaches of Data Protection


Hertfordshire County Council (“HCC”) and A4e Limited (“A4e”) have received the first monetary penalties from the Information Commissioner (“IC”) for serious breaches of the Data Protection Act, both concerning the unintended disclosure of personal data. Under the Data Protection Act 1998 (the “Act”), the IC can serve a data controller with a monetary penalty notice if it is satisfied that there has been a serious breach of section 4(4) of the Act by the data controller, which was likely to cause substantial damage or distress. 

HCC was fined £100,000 for sending faxes (on two separate occasions) containing personal information on a child sexual abuse case and details of child care proceedings to the wrong recipients.

The IC found that HCC had (as data controller) failed to take the appropriate organisational measures against unauthorised processing of personal data, and such failures had the potential to cause substantial damage and/or substantial distress to the data subjects whose unauthorised confidential and sensitive personal data was sent to a member of the public.  The IC considered that the failure could have resulted in a court case being prejudiced, which again would have caused substantial upset to the data subject concerned. 

The IC also found that because the two breaches occurred within a short space of each other, HCC had, after the first breach, the opportunity to put in place measures to safeguard against future data protection breaches. 

A4e was fined £60,000 for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used the community legal advice centres in Hull and Leicester.  The IC imposed this penalty because A4e had failed to take appropriate technical and organisational measures to avoid the loss of data when it issued the unencrypted laptop to its employee (even though it was fully aware of the nature of the information contained on the laptop), and the potential distress the breach could have caused to the data subjects. 

In the monetary penalty notices, the IC highlighted certain measures to safeguard against the above-mentioned breaches, which included:

If your company/organisation holds and/or processes personal data then it is important you consider whether you need to implement all, or some, of the above measures to safeguard against future data protection breaches because as Christopher Graham (the IC) explained:

these first monetary penalties send a strong message to all organisations handling personal information.  Get it wrong and you do substantial harm to individuals and the reputation of your business.  You could also be fined up to £500,000”. 

If you are unsure about whether your company/organisation has sufficient measures in place, please feel free to call Matthew Hattersley on 0113 336 3351 or Victoria Lethaby on 0113 336 3324. There is also useful guidance on the IC’s website, www.ico.gov.uk, including sector specific guides so you can check if there are any particular obligations that just apply to your sector.  You can also call the IC’s helpline on 0303 123 1113, which is open 9.00 am to 5.00 pm, Monday to Friday.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.