The ICO has now issued its first monetary penalties for two serious breaches of the Data Protection Act.
The underlying purpose of the penalties is to promote DPA compliance, so what message is the ICO trying to get across?
The ICO has teeth
At a basic level, in the words of the Information Commissioner, Christopher Graham:
"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
Fines will be used to "give the ICO the teeth that many people in the past said it lacked" and so organisations "can see what happens if they don't go along with what we're submitting." (quotes attributed to Graham speaking before the first penalties were levied).
Public and private sector
Whether the symbolism is intended or not, the fact that fines were simultaneously imposed on a public sector organisation (Hertfordshire County Council) and a private sector organisation (A4e, an employment services company) illustrates that non-compliance on both sides of the fence will be viewed equally seriously.
The ICO will however take into account the size of an organisation when determining what level of financial penalty to apply. The fines while large could have been much larger and I would expect that a future data breach on the scale of the HMRC's loss of 25 million records (described by Graham as the horror benchmark) would be the sort of thing that would attract the maximum penalty, based on the levels set here.
Sensitive personal data
Both fines involved sensitive personal data: in the case of the Council, information concerning child abuse and care proceedings; and in the case of A4e information regarding alleged criminal activity and whether an individual had been a victim of violence. The fines therefore illustrate the particular care that is required when dealing with sensitive personal data (ie. data concerning religious beliefs, political opinions, health, sexual orientation, race, criminal convictions or activity and trade union membership).
In contrast, the ICO did not fine Google for what it described as a "significant breach" of the Act involving gathering large volumes of information for Google Street View, the vast majority of which would not have been sensitive personal data.
Both fines related to loss, or potential loss of data resulting from procedural and data security failings. While many breaches of the DPA can arise without any data security failings or data loss, it is yet to be seen to what extent breaches other than data loss will qualify as serious breaches capable of meeting the statutory criteria for the imposition of a fine.
Specific data security issues
The A4e case, which involved the issuing of an unencrypted laptop to an employee which was subsequently stolen, illustrates, in the words of the ICO "the need for data controllers to ensure that appropriate and effective security measures, such as encryption, are applied to personal data held on laptop computers". Other possible measures which were not employed here would include use of a Kensington lock to physically secure the laptop and storing data offsite rather than on the laptop itself.
Sending sensitive data by fax
The Hertfordshire County Council case (where two faxes without coversheets containing highly sensitive personal information were sent to the wrong numbers within two weeks) illustrates "the need for data controllers to review the sending of confidential and sensitive personal data by fax and to ensure either that alternative more secure means are used or that, at a minimum, appropriate and effective security measures are applied to the use of fax". At the very least, the ICO said, the Council should have had in place appropriate procedures to ensure that staff phoned ahead before issuing sensitive data by fax and that receipt of faxes was subsequently confirmed.