In April 2010 the Information Commissioner (IC) was granted the authority to impose financial penalties for data protection breaches. Following two data protection breaches in June 2010 Mr Graham has fined a County Council and a Sheffield based organisation £100,000 and £60,000 respectively for breaching the Data Protection Act by inadvertently disclosing personal data.
Despite waiting seven months to use his new powers a clear and strong message has been sent to those handling personal data and emphasises the IC’s commitment to and focus on data security and information management.
NHS organisations will be particularly interested in Mr Graham’s response to the County Council’s data breaches. These breaches involved two faxes containing highly sensitive personal data involving child sex abuse cases, care proceedings and care professionals’ opinions being sent to the wrong recipient. Sensitive personal data was misdirected to a member of the public and a barrister’s chambers unconnected with the case. Such breaches not only involved a financial penalty from the IC’s office but also costs involved in seeking a court injunction preventing disclosure of the facts of the court case or circumstances of the data breach. Mr Graham is reported as ruling that the penalty of £100,000 was “appropriate” given that the council’s procedures failed to prevent two serious breaches taking place. His comments act as a clear warning that organisations handling personal data must ensure secure and appropriate measures are in place to prevent inadvertent data breaches.
Failure to encrypt laptops
The importance of data security was again highlighted when an unencrypted computer was stolen from the home of an employee of a private company home resulting in the loss of personal information relating to 24,000 people. The IC was scathing in his comments that the breach “warranted nothing less than a monetary penalty” as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data. Once again NHS organisations will be interested to note these comments given the amount of patient sensitive data being stored and processed on laptops and computer systems.