The Information Commissioner’s Office (ICO) on 24 November imposed the first fines for serious breaches of the Data Protection Act, under powers granted in April this year. One case was against a private sector company; the other arose in the public sector.
The Private Sector: Stolen Unencrypted Laptop
Employment services company A4e was fined £60,000 after issuing an unencrypted laptop to an employee working from home. The laptop contained sensitive personal information relating to 24,000 people, including “full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence”. The laptop was stolen from the employee’s house and an attempt made to access the data.
A4e was fined on the basis that access to the data could have caused substantial distress. A4e also failed to take reasonable steps to prevent unauthorised access by encrypting the data, despite being aware of the amount and type of data on the laptop.
The Public Sector: Incorrectly Addressed Faxes
Hertfordshire County Council was fined £100,000 for two serious incidents where Council employees sent faxes containing highly sensitive information to the wrong recipients. The first fax was intended for a barrister, but was instead sent to a member of the public. Thirteen days later, a second fax intended for a Court was mistakenly sent to another barrister. Both faxes contained information about ongoing cases involving child sex abuse and care proceedings.
The Council was fined on the basis that its procedures failed to prevent two serious breaches of the data protection principles that could have caused substantial damage and distress. After the first breach, the Council failed to take sufficient action to reduce the risk of the second breach occurring.
The Information Commissioner, Christopher Graham, said that the fines were intended to “send a strong message to all organizations handling personal information”.
The power to fine was introduced into UK law in 2010. It arises if there has been a serious contravention of the data protection principles by the data controller, the contravention was of a kind likely to cause substantial damage or substantial distress, and either the contravention was deliberate or the data controller was (in a defined sense) careless. ‘Careless’ here means that the data controller knew (or ought to have known) both that there was a risk that the contravention would occur and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, and nonetheless failed to take reasonable steps to prevent it.
If the ICO is satisfied as to the above, it must first serve a ‘notice of intent’, which invites the controller to make written representations and provides certain timing details. It may then (after the time limit for representations has expired) serve a ‘monetary penalty notice’ setting out the penalty proposed. Fines of up to £500,000 can be levied.
There have been many incidents recently where the ICO has been criticized for not levying his new powers. Finally, he has done so. More can be expected. Users of personal data will now be more wary of their requirements under data protection law including to handle data only in a fair manner, to keep the data secure, to keep the data relevant and not excessive, and not to transfer the data outside of Europe without ensuring adequate protection. It should not be forgotten also that enforcement can be taken under other powers (the serving of notices and extraction of undertakings) even if the conduct does not meet the admittedly high threshold at play here (of being serious and deliberate or careless).
Lastly, it should not be forgotten that whilst this power of the UK ICO to fine is relatively new, those in regulated sectors are subject to parallel regimes which also come into operation on data security breaches. The Financial Services Authority (FSA), for example, has levied a number of fines against regulated firms for not having adequate systems and controls in place to protect their customers’ confidential details, including an incident in 2009 when three HSBC entities were fined a total of £3 million and another in August of this year when Zurich Insurance was fined £2.75 million (the largest single fine to date).