ICO issues first fines to Hertfordshire County Council and employment services company over accidentally sent data and lost laptop

News by Dan Raywood

Almost eight months after it was granted the right to issue a financial penalty, the Information Commissioner's Office has issued fines against two companies for data loss.

Almost eight months after it was granted the right to issue a financial penalty, the Information Commissioner's Office has issued fines against two companies for data loss.

The ICO announced today that it has issued a penalty of £100,000 to Hertfordshire County Council for ‘two serious incidents'.

The breaches occurred in June 2010 when employees in the council's childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).

The first misdirected fax was meant for barristers' chambers and was instead sent to a member of the public. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later by another member of the council's childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions. The fax was mistakenly sent to barristers' chambers unconnected with the case. The intended recipient was Watford County Court.

It has ruled that a monetary penalty of £100,000 was appropriate, given that the council's procedures failed to stop two serious breaches taking place, where access to the data could have caused substantial damage and distress. After the first breach occurred, it ruled that the council did not take sufficient steps to reduce the likelihood of another breach occurring.

A second monetary penalty of £60,000 was issued to employment services company A4e for the loss of an unencrypted laptop that contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

This also occurred in June 2010 following the company issuing an unencrypted laptop to an employee for the purposes of working at home. The laptop contained sensitive personal information when it was stolen from the employee's house.

An unsuccessful attempt to access the data was made shortly after the laptop was stolen. Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

A4e reported the incident to the ICO. The company subsequently notified the people whose data could have been accessed. The Commissioner ruled that a monetary penalty of £60,000 was appropriate, given that access to the data could have caused substantial distress.

The ICO also ruled that A4e also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

The Information Commissioner Christopher Graham, said: “It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach, not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data.

“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”

Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said: “People will always need to share information, that is not going to change. So the onus is on organisations to put in place solutions that can effectively mitigate against this risk whilst providing a secure environment in which to share data.

“Today's news should hopefully serve as a wake-up call for all those that have ignored this ticking time bomb for so long. The products are out there, so organisations need to get wise or risk the wrath of an ICO eager to flex its muscles.”

Ed Macnair, CEO of Overtis, said: “At first glance this looks like the ICO has real teeth. However, in the case of the stolen laptop, the penalty is less than £3 for each lost record. When you consider the fact that A4e is a £145 million company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost.

“Similarly, this council had clearly not learned from the first devastating security breach and continued to use the same insecure channel for sharing highly sensitive information. The technology is there to prevent information from being stored in unencrypted format and to tightly control the faxing, sending and printing of confidential information. Let's hope that the ICO's action encourages other organisations to urgently review their policies and procedures.”

Stewart Room, partner of Field Fisher Waterhouse, who previously criticised the decision to cap the fine level at £500,000, claimed that the instances that led to the fine are typical and familiar: misdirected communications and the loss of an unencrypted laptop computer.

He said: “These are ‘business as usual problems'; they can befall any organisation. Neither case is unusual on the facts. It has been a relatively long wait, but the ICO has now finally come of age, joining the ranks of the toughest EU regulators for data protection.

“The fining of Herts is particularly significant because it shows that the ICO has the guts to hit the public sector during a time of public sector cutbacks. Basically, the fine has cost Herts a couple of teachers; Council Tax payers are entitled to be livid.

“The data controllers have also damaged their reputation; they will be forever tarnished with the stigma of being the recipients of the first fines in relation to the Data Protection Act, to be cited as case studies in conferences, seminars, news reports and Parliamentary inquiries. They will feel the ramifications of these fines for a very long time to come, in ways that they might not have anticipated yet.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews