A city council has been fined £120,000 after one of its employees sent a series of emails containing sensitive child protection data to the wrong address. The council's internal guidance correctly specified that sensitive data should be sent over a secure network or encrypted but the employee's team had not been provided with encryption software or training, and the council was aware that emails were sent to unsecure networks.
In another case, a local authority was fined £250,000 for failing to get adequate guarantees from a third party data processor on how personal data would be kept secure. The breach came to light after employee records containing personal data such as salary and bank account details were discovered in a public recycling bin. The council employed an outside company to digitise the records, but had no contract in place with the third party, did not ask for guarantees on the security protecting the records and did not make sufficient attempts to monitor how the data was being handled.
For the last two years, the Information Commissioner's Office (ICO) has had power to impose fines of up to £500,000 on organisations where there has been a breach of the Data Protection Act principles which is:
- serious; and
- likely to cause substantial damage or distress; and
- was deliberate or reckless (in other words, the organisation knew, or ought to have known, that there was a risk that the serious contravention would occur, but failed to take reasonable steps to prevent it.)
Most fines issued to date have been for failures to keep personal data secure. Although the potential financial penalties are not high compared with those available to other regulators, such as the Financial Services Authority, there is now a steady stream of fines, and if the plans of the European Commission in this area go ahead, there could be significant changes to data protection law within the next couple of years. One of the features of the new regime would be the ability for authorities to impose fines of up to 2% of annual worldwide turnover for some breaches.
The safe approach for employers as data controllers is to follow ICO guidance and, in particular, to carry out risk assessments; implement policies and procedures (to encrypt removable media, at the very least) and ensure employee compliance with those procedures; and to monitor compliance by any other data processors they use.