ICO issues largest fine to date

The ICO has issued a fine of £120,000 for serious contraventions of the Data Protection Act, its largest to date, to Surrey County Council after three incidents in which sensitive information was sent by e-mail to the wrong recipients.

The ICO found that the Council had failed to comply with the Seventh Data Protection Principle, by failing to implement security measures such as:

  • encrypting sensitive personal data;
  • providing employees with appropriate IT training and support; and
  • establishing naming conventions for group e-mail lists which could not be easily mistaken by its employees.  

The ICO also took into account when setting its fine the fact that remedial action taken after the first (and most serious) breach had not been sufficient to prevent two similar security breaches occurring.

Data Sharing Code published

A statutory code of practice providing advice for businesses and public sector bodies on sharing personal data was published by the ICO on 11 May 2011. While following the code is not a legal requirement, it represents best practice and minimises the risk of breaking the law and facing ICO enforcement action. A new summary checklist providing a quick reference guide to sharing information has also been published.

CCTV monitoring website censured

A website which allows members of the public to monitor CCTV footage from cameras installed in shops and other businesses has been forced to make privacy changes after video footage taken from the service was posted on Youtube.

Internet Eyes has given an undertaking to the ICO to make immediate changes to its service, including encrypting its CCTV video streams and keeping records of which users are viewing CCTV footage.

Data leaks at Scottish Councils

North Lanarkshire Council has given undertakings to the ICO to implement adequate security procedures and policies for personal data within its Housing and Social Work Services department following the theft of an employee’s bag containing sensitive personal data relating to six vulnerable individuals.

Dumfries and Galloway Council has apologised to staff and announced an enquiry following an error in responding to an FOI request about employee salaries which resulted in staff names and dates of birth being disclosed and subsequently published on a website.

Former T-mobile workers fined for theft of personal data

Two former employees of T-mobile have been order to pay a total of £73,700 following a prosecution under section 55 of the Data Protection Act, the criminal offence of knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller.

The employees had taken customer contract renewal data from T-mobile’s customer database and sold it on the black market.  The fines were levied under the Proceeds of Crime Act 2002 and represent part of a new ICO deterrence strategy for data crimes which will involve it seeking to recover the criminal proceeds of such activities.