On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against the Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.
On October 11, 2012, the ICO published three reports summarizing the audits it had conducted from February 2010 to July 2012 in the public sector, specifically central government, local authorities and National Health Service (“NHS”) organizations. A fourth report summarized the results of audits of private sector organizations. The ICO encourages the use of audits as an educational and best practice-sharing tool. As a general matter, following an audit, the ICO provided an assurance rating to the organization ranging from “very limited assurance” to “high assurance.” The ICO’s audit outcomes report for the private sector showed that 11 of the 16 private sector organizations audited were awarded the highest assurance rating and none were issued the lowest rating. Louise Byers, Head of Good Practice at the ICO, commented on the fairly high level of data protection compliance demonstrated by the private sector organizations audited to date: “The private sector organisations we have audited so far should be commended for their positive approach to looking after people’s data.” Byers cautioned the private sector not to “rest on their laurels”, however. In contrast, the public sector organizations audited provided a much lower overall level of compliance assurance, with only one of the 15 NHS bodies, one of the 19 local government bodies, and two of the 11 central government departments, awarded the highest assurance rating. The report on local authorities showed that 10 of the 19 organizations audited fell within the “limited assurance” range. The latest monetary penalty imposed against the Stoke Council appears to be evidence of a continuing trend of poor data protection compliance by public bodies in the UK.