A police force has been fined £150,000 for serial data breaches and a social care charity has been fined £70,000, having committed a breach of sufficient gravity to become the first charity to incur a data protection fine.
The police force was fined after it was discovered that it was common practice for officers to use unencrypted memory sticks to store personal data. The practice came to the attention of the Information Commissioner's Office (ICO) when an unencrypted memory stick containing sensitive personal data was stolen from an officer's home. The memory stick contained the details of over 1000 people linked to serious crime.
The ICO noted that the force had not restricted the downloading of information and staff had not received adequate training, despite a previous similar breach. The ICO Director of Data Protection stated "(T)his is a substantial monetary penalty, reflecting the significant failings the force demonstrated. We hope it will discourage others from making the same data protection mistakes". The force received an early payment discount of £30,000, reducing the monetary penalty to £120,000.
The social care charity was fined for a serious breach of the Data Protection Act, after a social worker left highly sensitive information about the care of four young children outside a London home. The reports included details of neglect and abuse suffered by the children. Upon investigating the matter, the ICO discovered that the social worker had received no data protection training.
In issuing the fine, the ICO highlighted that the incident had been “entirely avoidable”. It noted that the fine should be a warning to all charities of the importance of fulfilling their obligations under the Data Protection Act. Head of Enforcement at the ICO commented "(W)e do not want to be issuing monetary penalties to charities, but in this case the seriousness of the breach left us with little choice."
These recent fines reiterate the ICO's tough stance on fines, taking into account the frequency and seriousness of the breach.