The Information Commissioner was given the power in April 2010 to issue financial penalties of up to £500,000 for breaches of the Data Protection Act 1998. Hertfordshire County Council and A4e are the unfortunate recipients of the first of such fines. Hertfordshire County Council was fined £100,000 for accidentally sending two faxes to the wrong recipients, containing sensitive personal data relating to children. A4e was fined £60,000 after the company provided an unencrypted laptop to an employee for the purpose of home working. The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. These personal details included names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence. The ICO ruled that A4e had not taken reasonable steps to avoid the loss of data.

These fines send a strong message that ICO is prepared to use its powers to impose financial penalties. Housing associations are encouraged to provide training to staff on data protection compliance and to implement and update information security policies.