Data protection hit the headlines again this morning with news that two bodies have been issued with substantial fines by the Information Commissioner, Christopher Graham, after breaching the Data Protection Act (DPA).
Hertfordshire County Council is to be fined £100,000 after two successive data protection breaches. In both instances a fax containing sensitive personal information relating to a child sex abuse case and care proceedings were accidentally sent to the wrong recipients. The Commissioner ruled a monetary penalty of £100,000 was appropriate, given the council's procedures had failed to prevent two serious breaches where access to the data could have caused substantial damage and distress. The Commissioner also ruled that after the first breach, the council did not take sufficient steps to reduce the likelihood of another breach occurring.
The second body is A4e, an employment services company, which issued an unencrypted laptop to an employee working from home. The laptop, containing personal information on 24,000 people who had used community legal advice centres in Hull and Leicestershire was later stolen from the employee's home and an unsuccessful attempt made to access the data. The Commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data it contained. As a result A4e is to be fined £60,000.
The Commissioner said the theft of the laptop was "less shocking" than the council's security breaches. However, he added it "also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".
In its practice note on notification of data security breaches (issued in February this year), the Information Commissioner's Office (ICO) sets out clear guidelines. It states there should be a presumption to report breaches to them where a large volume of personal data is concerned and there is a real risk of individuals suffering harm. Yet what constitutes a large volume of personal data? The ICO states every case must be considered on its own merits but a reasonable rule of thumb according to the practice note is "any collection containing information about 1,000 or more individuals". However the practice note also stresses that it may be appropriate to report lower volumes in circumstances where the risk itself is particularly high; for example because of the circumstances surrounding the loss or the sensitivity of information about each individual.
The practice note advocates that if in doubt, then the presumption should be to report the breach. The Commissioner's message is clear. In a press release today, the Commissioner said "these first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds".
Increased fining powers under the DPA were introduced in April this year for serious breaches. So far the Commissioner has held back from exercising these increased powers but these two cases show that it is prepared to hit organisations hard. The unencrypted laptop case is a very typical data security breach. For any organisations who fail to adopt good data security practices, this is a major wake up call.