On 8 February 2011 the Information Commissioner’s Office (“ICO”) issued two monetary penalty notices for serious breaches of the Data Protection Act. Ealing Council and Hounslow Council were fined £80,000 and £70,000 respectively for the loss of two unencrypted laptops containing sensitive personal information. (This might be considered rather unfair on the poor council tax payers of Ealing and Hounslow, though like those councils’ own parking fines, the ICO have applied a discount for early payment.)
Four fines have now been imposed. The first two fines, imposed in November 2010, were covered in a previous posting on this blog.
Ealing Council provided an out-of-hours service on behalf of both councils, which relied on the use of laptops to record information about individuals. Two of these laptops were lost. There was no evidence to suggest that the data held on the computers had been accessed and no complaints from those affected was received. However, there was still held to be a significant risk to the privacy of the affected individuals.
As with the two previous occasions that gave rise to fines, the ground on which the fine was imposed was a failure to comply with the seventh data protection principle (the need to take “appropriate technical and organisational measures“) to protect data. The specific failure was the failure to encrypt the data.
The following lessons emerge:
Laptops and other off-site devices should be encrypted if they contain sensitive personal information. Password protection alone is not adequate.
It is not enough to have a data security policy in place; this must also be adhered to by employees. This requires employee training and the promotion of general awareness of data protection issues.
Data processing cannot simply be outsourced without checking that the data being handed over is properly protected, and will continue to be treated in such a way.