The ICO has issued its third and fourth monetary penalties for serious breaches of the Data Protection Act to Ealing Council and Hounslow Council. Both fines related to a single incident in which two unencrypted laptops containing sensitive personal information were stolen from the home office of an employee of Ealing.

When previously reporting on the lessons to be learned from the first two fines, we noted that one of these fines also related to the loss of an unencrypted laptop and offered security tips for dealing with this issue. The repeated message from the ICO on this issue was again highlighted in its latest press release: password protection is not sufficient protection for a portable device containing personal information.

Hounslow’s fine also highlights the risks associated with data loss by a data processor acting on your behalf. Hounslow did not, as is required by the Data Protection Act 1998 ("DPA"), have a written data processing contract in place with Ealing Council requiring it to ensure appropriate security for personal data, nor did it monitor Ealing’s security arrangements. As data controller, Hounslow remained responsible for the contravention of the seventh data protection principle (concerning security) even though it had passed the information on to Ealing.


As well as its new powers to issue fines, the ICO continues to use its existing powers to secure undertakings from organisations which commit breaches of the DPA. Recent examples include:-

  • an undertaking from Gwent Police to take remedial action following results of 10,000 Criminal Reference Bureau checks being e-mailed to the address of the wrong person, which had been inserted by e-mail autocomplete;
  • an undertaking from the NHS Blood and Transplant Service to become more robust in checking information is accurate, after a software error had resulted in the donation preferences of 444,031 people being incorrectly recorded on the Organ Donation Register; and
  • an undertaking from the Scottish Court Service following the loss of personal information which had been passed on to an editor of a series of law reports without checking how the individual would keep the information secure.