Two separate sets of fines for £100,000 and for £60,000 have been issued against Hertfordshire Country Council and A4e Limited, respectively. They relate to unconnected incidents which occurred in June 2010. Although the amounts are not insignificant, the fines are some way below the £500,000 maximum which can be imposed.
- These cases illustrate that breaches of the Data Protection Act 1998 ("DPA") can lead to a fine even where a small number of individuals is affected;
- The regulator is far more interested in the practical effort invested by organisations in security and their actual knowledge of how employees use IT equipment than in written policies;
- Substantial damage or substantial distress only need to be likely, they do not have to be demonstrated. In the case of "distress", this means injury to feelings, harm or anxiety suffered by an individual, even if the anticipated harm does not actually happen;
- The A4e case reinforces that encryption of work laptops used to store personal data is now regarded by the ICO as a required minimum.
In June a member of staff at Hertfordshire Country Council ("HCC") Childcare Litigation Unit accidentally sent a member of the public a fax containing confidential details about 7 individuals in connection with a child sexual abuse case before the High Court. This happened when the pre-programmed speed dial number on the fax machine was busy and the staff member entered the number manually, using the wrong STD code and omitting a fax cover sheet with instructions on what to do if the fax was misdirected. The number dialled belonged to a member of the public who contacted the Council and the Information Commissioner's Office ("ICO"). To prevent the case from being prejudiced, HCC obtained a court injunction preventing the individual from disclosing any details.
HCC reported the incident to the ICO and was cooperative, meeting with ICO staff and taking remedial measures. Unfortunately, a second breach occurred (coincidentally, while ICO staff were on the premises). This time another staff member sent a fax with confidential information to a barristers' chambers, instead of a court, about care proceedings (the chambers were not acting on the case). A fax cover sheet had been used this time and the clerk contacted HCC to confirm the information had been destroyed without reading it. This time the information related to 18 individuals (two of whom were children), including previous criminal convictions of some the adults, records of domestic violence and the opinions of care professionals about the adults' ability to care for the children.
HCC has now put in place a fax usage policy for Legal Services which includes a 'phone ahead' process and system for confirming faxes have been received; clearance/sign off by qualified lawyers is now required for sending faxes, and there has been an audit of pre-set, programmed fax numbers.
The ICO set the fine at £100,000 on the grounds that the HCC's procedures had failed to stop two serious breaches, where access to the data could have caused substantial damage and distress. After the first breach occurred, the HCC failed to take sufficient steps to reduce the likelihood of another breach occurring.
The other fine relates to A4e Limited, which operates Community Legal Advice Centres in Hull and Leicester and employs around 3,250 staff, 1,000 of whom work at home or remotely. An employee had downloaded onto a work laptop sensitive information about 24,000 people who had used the advice centres. Details included full names, dates of birth, postcodes, employment status, ethnicity, disability status, income level, information about alleged criminal activity and whether individuals had been victims of violence. Although key codes were used for some of the more sensitive data types, the codes were explained in a document also stored on the computer. A4e had a rolling programme of encrypting work laptops, however, this one was not encrypted. It was stolen in a burglary from the worker's home. It had been left on the dining room table (in breach of A4e's ICT policy). The only security on the laptop was password protection. A4e reported the incident to the ICO and also notified all 24,000 people whose data could have been accessed.
The ICO set the fine at £60,000 on grounds that access to the data could have caused substantial distress (damage to their personal reputations) and substantial damage (risk of identity fraud). A4e did not take reasonable steps to avoid the loss of the data; it knew that there was a risk that the contravention would occur.
Remedial measures include the development of compulsory information security training, employees have been required to confirm by email that they are complying with A4e's ICT policy and encryption and port control measures have been rolled out to all PCs and laptops used by employees. The ICO has been notified by a small number of individuals that they intend to claim for compensation from A4e although no claims have yet materialised.
Before issuing a fine or Monetary Penalty Notice ("MPN"), the Information Commissioner must be satisfied that there has been a serious contravention of the Data Protection Principles in the Data Protection Act 1998 and that the other statutory requirements are met (the breach is likely to cause serious damage or serious distress and was either deliberate or reckless and no reasonable steps were taken to prevent it).
Next, the Information Commissioner serves a Notice of Intent on the data controller. The data controller then has an opportunity to make representations about the issue of the MPN and/or the proposed size of the fine.
The Information Commissioner must consider any representations made and then decide whether or not to proceed with serving the MPN or to vary it, e.g. by varying the size of the fine, and informs the data controller accordingly. The data controller can appeal to the Tribunals Service against a MPN.