The UK's data privacy regulator, the Information Commissioner's Office (ICO), has recently issued its largest fine to date against a single data controller, for breaches of the Data Protection Act 1998 (the DPA).
This latest fine, of £120,000 imposed on Surrey County Council, continues a string of increasing financial penalties imposed by the ICO following the bolstering of its enforcement powers by the Criminal Justice and Immigration Act 2008 in April 2010. Since then, the ICO has had the power to impose fines of up to £500,000 on organisations that deliberately or recklessly commit serious breaches of the DPA. Such a breach will be committed by an organisation (acting as a data controller for the purposes of UK law) where:
- it has committed a serious breach of the DPA;
- that breach was either deliberate, or the organisation knew, or ought to have known, that the breach would be likely to cause significant damage or distress; and
- the organisation failed to take reasonable steps to prevent the breach.
Whilst the ICO's approach to enforcement of the DPA is generally pragmatic and looks first to targeted guidance and legally binding undertakings (to take particular steps to correct and prevent the breach), this latest fine evidences the ICO’s long held view that serious data breaches are not victimless offences and must be responded to with meaningful penalties. The strengthening of the ICO's fining powers comes after repeated calls from the ICO for added bite to the DPA, particularly to ensure that those organisations handling high risk and sensitive information (such as health information, detailed financial information, or information concerning children), will take their obligations to properly secure that data against loss or unauthorized access more seriously.
The ICO is showing no sign of moving away from its pragmatic approach, though we can see in this latest fine that, where the circumstances warrant it, the ICO will not be shy in imposing significant penalties for DPA breaches. The fine in this case was imposed as a result of Surrey County Council’s repeated failure to properly secure its sensitive information (in particular, physical and mental health information of both adults and children): the sensitivity of the information and the repeated nature of the breaches being key factors in the ICO’s decision. It also emphasises that if a breach does occur, practices and procedures must be reviewed to ensure that it is not repeated – the fact that there were a series of identical breaches is key here. The Council’s breach took the form of 3 separate incidents of misdirected emails, each containing various sensitive personal information, none of which was encrypted or password protected. Following the fine, the Information Commissioner, Christopher Graham, made clear that failing to put adequate data security measures in place will not go unpunished: “The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated”.
The imposition of this fine against the Council also demonstrates the ICO’s continued enforcement focus on public authorities, principally in light of the large amounts of sensitive information they handle on a daily basis, and the numerous data security breaches which have kept the issue of public sector data privacy in the public eye for some time now. This latest fine is the sixth issued by the ICO since the increase in its fining powers in April 2010, and is the fourth issued against a public authority. The first fine was issued against Hertfordshire County Council (£100,000 in total over 2 separate actions in November 2010), and the third and fourth issued against Ealing and Hounslow Councils (£80,000 and £70,000 respectively, in February this year). The second and fifth fines have been imposed on private organisations: respectively, £60,000 against A4e (an employment services company who lost various sensitive personal data on an unencrypted laptop) and £1,000 against the individual data controller of a law firm hit by a distributed denial-of-service attack that left confidential files exposed (and subsequently distributed over the internet).
Whilst this string of increasing fines shows the ICO flexing its muscles and taking a strong position against those high risk organisations who fail to provide sufficient protection for sensitive information, the general level of ICO fines will do little to worry major organisations operating in the UK. The broad message remains that putting in place high quality security measures (including those which minimise the risk of human error such as misdirected emails), and increasing those security measures where you are processing sensitive personal information (or any personal information likely to cause distress if lost or exposed), should go a long way to mitigating the risks of increased ICO fines, which, in any case, are currently insufficiently substantial to financially impact most major organisations. The real risk therefore remains the high profile and long lasting reputational damage of major data losses and security breaches, and, where relevant, potential fines from other regulators such as the Financial Services Authority (who, in August last year, fined the UK branch of Zurich Insurance Plc £2,275,000 for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information).