The Information Commissioner's power to fine for serious breaches of the Data Protection Act came into force on 6 April 2010. Although the Information Commissioner produced guidance on the use of the power to fine early in 2010, businesses dealing with personal data have been waiting for the first fines to be levied.
On 24 November 2010, the Information Commissioner revealed that he had issued his first monetary penalties. These penalties, and the decisions behind them, have significant precedential value as the first practical examples of how the Information Commissioner's power will be exercised.
The first decision notice relates to the misdirection of a faxed communication. As a result of this decision and given the inherent risks of using fax to send personal data, data controllers should:
- Use an alternative, more secure, method of transmission where possible.
- (Where fax is the only means of transmission) use a secure fax system if available.
- Put in place measures to ensure the fax reaches its intended destination. This decision emphasises the importance of a phone ahead and confirmation of receipt process.
- Use pre-programmed fax numbers and auto dial facilities where these are available.
- Always use a cover sheet which sets out key information about the sender and what to do if the fax is misdirected.
- Put in place proportionate organisational measures to safeguard the data being sent outside of the organisation. For example, everyday faxes may be sent by anyone but only authorised individuals may send faxes relating to highly sensitive topics. All staff should be educated in appropriate fax procedure.
- If a fax is misdirected, take immediate steps to deal with the disclosure. The steps that should be taken will depend on the seriousness of the mis-direction.
The second notice reinforces the importance of encrypting laptops and other portable computer devices, a message that the Information Commissioner has promoted for some time.
1. Hertfordshire County Council
In the first incident, the Council's Childcare Litigation Unit intended to send a fax containing confidential and sensitive information relating to a sexual abuse case to barristers representing the Council in that case. The fax number for the barristers' chambers was pre-programmed into the Council's fax machine, which it was standard practice to use. As the line was busy, the member of staff sending the fax manually entered the destination fax number and was successful in sending the fax. The fax number was incorrectly typed into the fax machine, as a result of which the fax was in fact sent to a member of the public unrelated to the court case. The fax was not preceded by a cover sheet, which would have indicated the sender and intended recipient of the fax and outline the procedure to be followed in case of misdirection. The Council had no knowledge of the error until the actual recipient notified them that it had received the fax by mistake. The Council voluntarily notified the Information Commissioner's Office of the breaches and obtained an injunction preventing the actual recipient from disclosing any information about the misdirected fax in order to mitigate the damage caused by the breach.
As a result of this breach, the Council carried out an internal investigation and took remedial action, including (i) the reiteration of Council policy that faxes should always be accompanied by a cover sheet, (ii) a mandate that faxes should not be sent without prior authorisation from a senior member of staff and (iii) a recommendation that email is the preferred method of sending confidential information.
Two weeks after the first incident, another fax containing information about care and other domestic proceedings involving 18 individuals was sent to the barrister's chambers involved in the first incident. The chambers were not involved in these proceedings and had no reason to have been sent this information. Again, the recipient fax number had been entered manually rather than using the 'auto dial' function.
Following this second incident, the Council:
- Introduced a secure fax system;
- Introduced a phone ahead and confirmation of receipt process, whereby the sender of the fax should call the intended destination to inform them that the fax was on its way and follow transmission of the fax with a further call to confirm that it had been received;
- Prescribed the members of staff authorised to send faxes; and
- Established a system of recording the transmission and receipt of faxes in the department.
The Information Commissioner considered these breaches to be egregious because the data that were sent by fax were of a particularly sensitive nature. In the first case, the breach could also have been detrimental to the court case. The measures in place to secure data sent via fax were insufficient and had not been improved by the interim measures put in place by the Council, as evidenced by the occurrence of the second incident. In the Commissioner's opinion, staff working in the Childcare Litigation Unit were (or should have been) well aware of the sensitive nature of the data that they handled and the serious consequences that could result from unauthorised disclosure of those data. The Commissioner considered the Council negligent not to have taken more stringent measures to ensure the safekeeping of the information entrusted to it.
These breaches, while unfortunate, indicate that misdirection of faxes is not unusual. Although the sensitivity of the data in this case aggravated the seriousness of the breach, the decision behind this penalty has broad implications for any controller that uses fax as a means of sending personal data.
2. A4e Limited
A4e operates the Community Legal Advice Centres in Hull and Leicester under contract with the Legal Services Commission ("LSC"). A4e is responsible for producing reports about these centres as part of its agreement with the LSC. A member of staff responsible for producing these reports was one of A4e's many home or remote workers, who had been given a laptop by A4e for work use at home. Encryption was a requirement of the LSC contract. Although A4e had a programme of encryption that was being rolled out, the only security measure in place on the laptop was password protected access.
The member of staff loaded onto the laptop personal data (including some sensitive data) relating to 24,000 individuals from a central secure server. While the laptop was at the employee's home, the home was burgled and the computer stolen. The employee reported the theft to A4E's IT department and access to their account was suspended. IT analysis revealed that there had been one unauthorised attempt to access the data around the time of the burglary. This attempt was unsuccessful.
Following this breach, A4e took the following remedial measures:
- Compulsory ICT training;
- Reissue to all employees of relevant ICT policies and request for confirmation that data being processed by employees is in compliance with these policies; and
- Encryption and port control was rolled out to all personal computers and laptops used for work purposes.
All affected data subjects were informed of the data loss, following which the Information Commissioner received one formal complaint and a further 15 informal communications. 3,200 data subjects contacted A4e for further information following notice of the breach.
The Information Commissioner found that A4e had breached the seventh data protection principle by failing to take appropriate technical and organisational measures to secure data processed by it. Appropriate measures in this instance would have been (i) encryption and (ii) the issue (and mandatory use) of security devices for laptops (e.g. desk locks). The encryption process should have been rolled out to all laptops shortly after the risk assessment highlighted deficiencies in A4e's security measures. Encryption should have been carried out before the employee was issued with the laptop, rather than expecting the employee to properly secure the computer. A4e should also have been aware that (albeit in breach of company policy) employees were downloading personal data from its central server locally to their device, rather than remotely accessing the central server in each case.
In addition to insufficient security measures in place, the Information Commissioner found no record of the employee being trained in ICT security (although they had apparently been issued with copies of all relevant policies and had been sent reminders about data security by A4e management).
Although the Commissioner found no evidence to indicate that the personal data contained on the laptop had been accessed, serious distress was caused to the data subjects because of the knowledge that their data (including sensitive data in some instances) may be made available to a third party. The concern is that these data may be used in identity theft or to harm the data subject's reputation. This distress was exacerbated because the laptop had not been recovered, so the threat of disclosure was still present.
Further, following a spate of high profile data losses from unencrypted devices in 2007, the Information Commissioner had produced guidance on how to properly protect these devices. A4e had not followed this advice even though it should have been aware that its day to day business involved the processing of large volumes of personal data, which should have been properly protected.
It is not anticipated that the Information Commissioner will issue more than a handful of monetary penalties each year. Industry can therefore take the time to digest the Commissioner's decisions and take appropriate steps to try to avoid a similar outcome with their own processing activities.