New powers, designed to prevent serious breaches of personal data security, came into force on 6 April 2010. The Information Commissioner’s Office (ICO) can now order organisations to pay up to £500,000 as a penalty for serious breaches of one or more of the eight principles in the Data Protection Act 1998 (DPA).
The ICO recently served the first monetary penalties under the powers.
Hertfordshire County Council has been issued with a monetary penalty following two serious incidents where Council employees in the childcare litigation unit faxed highly sensitive personal information to the wrong recipients. The Council reported both breaches to the ICO. The Commissioner ruled that a penalty of £100,000 was appropriate as the data breach could have caused substantial damage and distress and the Council had failed to take steps to prevent a recurrence of the mistake.
Employment services company, A4e, has been issued with a monetary penalty of £60,000 after the loss of an unencrypted laptop containing personal information regarding 24,000 people who had used community legal advice centres. The laptop was stolen from the home of one the company’s employees. A4e reported the loss of data to the ICO, which found that it had failed to take reasonable steps to prevent the data loss.
The Information Commissioner, Christopher Graham, said, “These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business.”