As you may recall from our previous announcement last April, the Commissioner obtained new powers as from 6 April 2010, to fine organisations up to £500,000 for serious breach of the Act.
We have been waiting with baited breath since then to see which organisation would be the first to incur the new fines.
Today, 24 November 2010, the ICO decided to make an example of both a public sector organisation – Hertfordshire County Council – and a private sector organisation – employment services company A4e Limited.
Public Sector fine of £100,000
Hertfordshire County Council has been fined £100,000 for two similar breach incidents that occurred in a short space of time last June, when the Council’s childcare litigation unit accidentally faxed very sensitive details relating to child abuse matters and care proceedings, to the wrong recipients.
Christopher Graham, the Information Commissioner, has commented that it was “difficult to imagine information more sensitive than that relating to a child sex abuse case”. The level of fine applied is also thought to be high because the Council had not taken the necessary steps to prevent further breach.
Private Sector fine of £60,000
A4e Limited has also been fined £60,000 for losing an unencrypted laptop in June. The ICO have often issued enforcement notices or required undertakings from organisations which have lost laptops and other mobile media. On this occasion, the ICO decided that a monetary penalty was a more appropriate sanction given that the company had failed to take the simple step of encrypting the data and that there were a large number of individuals affected by the breach – some 24,000 users of community legal advice services in Hull and Leicester.
What does this mean for us?
The Information Commissioner has said that “these first monetary penalties send a strong message to all organisations handling personal information – get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
No doubt, the ICO will use the increased publicity surrounding these incidents to highlight its campaigns for even greater powers – including the power to imprison people found guilty of certain offences under the Act and the power to ‘dawn raid’ private sector organisations without warrant (as you may be aware the ICO has had the power to carry out such investigations in relation to public sector bodies since 6 April 2010).
Both organisations that have been fined today had voluntarily notified the ICO of the security breach incidents. At the moment, disclosure of a security breach incident is voluntary in the UK. A recent Onepoll survey has shown that four out of five people would like to see new UK laws introduced making it mandatory for organisations to make data breaches public. Mandatory breach notification legislation already exists in the United States and is on its way in Ireland.
While the fines issued today might be seen by some commentators to be ‘modest fines’ given that the ICO has the ability to issue much greater financial sanctions, it is clear that today’s first fines have already attracted widespread media attention.
It also means that the ICO is serious about using its new powers to penalise serious breaches of the Data Protection Act 1998 – even against the public sector, at a time when funds for compliance activities are thought to be scarce.
Top 10 Data Protection Compliance Tips
To avoid your Organisation being the next ‘named and shamed’ for data security breach, follow Pritchetts’ top 10 compliance tips:
1. Review your Organisation’s compliance in light of the increased risks of a £500,000 penalty for breach of the Act.
2. Ensure data protection moves up the corporate compliance agenda. It must now be taken seriously at a senior level in your Organisation.
3. Health Check data protection policies and procedures – website and client facing privacy policies; data collection forms; internal data protection policies; monitoring, communications, data retention and data destruction policies, outsourcing procedures etc. – to ensure these comprehensively cover all your data processing activities.
4. Review your ICO notification to ensure it is accurate and up to date. Many people rely on ICO templates and renew their annual notification yearly without making changes. Failure to notify new data processing activities within 28 days is a criminal offence.
5. Have a robust subject access request procedure in place – failure to fully comply with requests for information from individuals is the top reason for complaints to the ICO.
6. Ensure marketing team practices are compliant with the Act and the Privacy Regulations (via appropriate use of customer databases, opt-ins, opt-outs, unsubscribe requests etc.)
7. Ensure all contracts with third parties who are processing data on your behalf are in writing and contain the required data protection clauses. Pritchetts have free sample clauses (worth £500) available to readers, please contact us at www.pritchettslaw.com for more details.
8. Have a data security and security breach policy in place.
9. Ensure CCTV policies and signages are compliant.
10. Carry out staff data protection awareness training and stay abreast of legal developments in this area by signing up for free newsletters and reports from our data protection experts at www.pritchettslaw.com.