The UK data protection watchdog, the Information Commissioner's Office ("ICO "), has today handed out the first 'fines' for serious breaches of the Data Protection Act 1998 ("the Act"). The fines, issued to Hertfordshire County Council and employment company A4e, are the first fines issued since new powers to fine were given to the ICO in April.
In January of this year, MacRoberts detailed how the ICO was to be given new powers to issue fines of up to £500,000 to data controllers (i.e. those parties handling personal data) who committed a breach of the Act. A fine could be issued where either the breach of the Act was deliberate, or where the Controller ought to have known that a breach would occur and failed to take steps to prevent the breach.
The first fine - issued to Hertfordshire County Council ("the Council") - was a fine of £100,000. On two separate occasions in June 2010, members of staff at the Council's childcare unit faxed sensitive, personal information to the wrong people. In the first case the details (relating to sexual abuse) were faxed to a member of the public instead of the intended recipient, a barrister involved in the case. In the second case the details (relating to childrens care proceedings) were faxed to a barrister who was not involved in the case at all.
The ICO imposed the £100,000 fine on the Council for failing to stop the two serious breaches. The issue was made all the more serious by the fact that following the first breach the Council failed to put adequate steps in place to stop the second breach occurring.
The second fine issued by the ICO was a fine of £60,000 to employment services company A4e for losing a laptop which contained a large amount of unencrypted personal information relating to members of the public (names, postcodes, and dates of birth amongst others). The laptop containing the data was taken home by an employee of A4e (who was working from home) but was subsequently stolen.
The ICO considered this to be a breach of the Act because the data loss was likely to cause substantial distress to the parties involved. In addition, it was held that A4e did not take reasonable steps to avoid the loss of the data.
What to Note
It is clear from these cases that the ICO will not shy away from using its new powers to fine where there have been serious breaches of the Act. The Information Commissioner, Christopher Graham, said "These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds".
Anyone who handles personal information should therefore have substantial processes in place to ensure that a breach of the Act does not happen. This makes having a robust data protection process in place all the more important. If proper procedures are not in place and a serious breach occurs, the next step could be a fine of £500,000.