Following the loss of two laptops containing sensitive personal information, the Information Commissioner's Office ("ICO") has issued Ealing and Hounslow Councils with monetary penalties of £80,000 and £70,000, respectively, for serious breaches of the Data Protection Act 1998 ("the Act").
The two laptops were stolen from the home of an employee of Ealing Council's "out-of-hours" service - a facility which they also provide on behalf of Hounslow Council. The laptops contained the details of approximately 1,700 individuals, with data relating to both Councils.
In breach of Ealing Council's own policy, while both laptops were password-protected, the data stored on both laptops remained unencrypted. While the ICO acknowledged the lack of any evidence to suggest that the laptops had subsequently been accessed, they noted that such non-compliance nevertheless posed "a significant risk to the clients' privacy", contrary to the Act.
Hounslow Council were also held to have breached the Act by failing to implement sufficient monitoring and also by failing to have a written contract in place with Ealing Council governing the processing of the personal information, as is required under the Act.
Despite these serious shortcomings, the ICO noted that there are important lessons to learn from this case. In particular, Deputy Commissioner, David Smith, has said:
Where personal information is involved, password protection for portable devices is simply not enough. The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.
The present case is the second occasion that the ICO has decided to issue monetary penalties since receiving its increased "fining" powers in April last year. The ICO is now able to issue fines of up to £500,000 for serious breaches of the Act.
Monetary penalties send out a strong message, and it is clear from these cases that the ICO will not shy away from using its new powers where there have been serious breaches of the Act. It is now arguably more important than ever for organisations to ensure that they have robust data protection policies and procedures in place, or else they risk paying the price - both in negative publicity and monetary penalties.