Last week the Information Commissioner issued two monetary penalty notices. This is the first use of new powers, introduced in April this year, which enable the Commissioner to fine errant data controllers up to half a million pounds.
The first penalty notice was served following data security breaches in a local authority. On 10 June 2010 an employee mistakenly faxed highly sensitive, and potentially damaging, information regarding a court action for child sex abuse to a member of public (rather than to the barristers’ chambers). So serious was this breach that two officials from the Information Commissioner’s office attended the employer’s premises on 24 June to check what remedial steps were being taken. Unfortunately, that same day, another employee faxed details of care proceedings involving 18 data subjects to the wrong recipient. The Information Commissioner fined the employer £100,000.
The second penalty notice for £60,000 was served on an employer when an unencrypted laptop containing personal data relating to 24,000 people was stolen from an employee’s home.
The Information Commissioner has power to issue a monetary penalty notice where there is a deliberate and serious breach of the data protection principles of a kind likely to cause substantial damage or distress. A notice can also be issued where a breach was not deliberate but the employer knew, or ought to have known, that there was a risk of such a breach and failed to take reasonable steps to prevent it.
Employers need to ensure that where employees may remove personal data from work premises, or send it to third parties, appropriate security measures are put in place.