The UK Information Commissioner's Office (ICO) has announced two more fines for serious breaches of the Data Protection Act following a loss of two unencrypted laptops containing sensitive personal information. The organisations that have been fined are both part of London local government: Ealing Council and Hounslow Council.
How Did the Councils Breach the Data Protection Act?
Two laptops containing the details of approximately 1,700 individuals were stolen from an employee's home. About 1,000 of the individuals were clients of Ealing Council and almost 700 were clients of Hounslow Council. Hounslow was using Ealing to manage the relevant services on its behalf. Both laptops were password protected but not encrypted. The ICO has said that there is no evidence to suggest that the data held on the computers had actually been accessed and no complaints from clients had been received. The ICO takes the view, however, that this is nevertheless a significant risk to the clients' privacy.
What Do the New Fines Mean for Business in the UK?
These fines tell a continuing story of increasing enforcement by the ICO, in particular in relation to loss of unencrypted laptops or other portable media. Of the four fines imposed by the ICO to date, three concern the loss of unencrypted laptops. In our view, this raises the following points:
- All portable media containing personal data must be encrypted. Mere password protection is not enough.
- The ICO are quite clear that an organisation may breach the Data Protection Act in cases like this where a laptop is stolen from an employee's home even though there is no evidence that the data held on the laptop has been accessed by any unauthorised person. The imposition of fines is therefore directly contingent on the relevant breach of the Data Protection Act rather than the need to demonstrate any actual damage or harm to individuals. This forms a pattern of ICO enforcement for data security breaches (see our earlier newsflash dated 1 December 2010 in relation to the first fines imposed by the ICO for data security breaches).
- In this case, the issuing of the unencrypted laptop to a member of staff was a breach of the relevant policy. This underlines the need to check that your policies are being followed and understood by staff in practice.
- The fact that Hounslow Council was using Ealing to provide the relevant service gives rise to a requirement for it to put a written contract in place with Ealing. This is a general obligation applicable to all data controllers where they use third parties (data processors) to provide services on their behalf. The ICO also underlines the importance for controllers to monitor procedures being adopted by processors to ensure that services are provided securely. Arrangements with data processors should therefore be reviewed to ensure they comply with the relevant legal requirements (e.g. a written contract containing prescribed terms as to data protection) and that these requirements are being followed in practice.
- Interestingly, the relevant employees were working from home when the laptops were stolen. There are particular cost pressures on the UK public sector at the moment with government spending cuts and, no doubt, using employees working from home may help provide costs savings. This does not, however, obviate the need to ensure that data is protected whilst off-site in the same way that it would be protected on-site. This is also a real issue for many businesses as ever-increasing numbers of employees work from home or access company data on PDAs, iPads or laptop computers while travelling.