On 24 November 2010, the UK's Information Commissioner issued two organisations with substantial fines for serious breaches of the UK Data Protection Act 1998.
Hertfordshire County Council was fined £100,000 for two successive data protection breaches where council employees sent two faxes containing highly sensitive personal information to the wrong recipients on two separate occasions. The sensitive information related, respectively, to a child sex abuse case and to care proceedings. The council reported both breaches to the Information Commissioner's Office (ICO). The Commissioner ruled that, after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.
An employment services company, A4e, was also fined £60,000 following the loss of an unencrypted laptop containing sensitive personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. The laptop, which had been issued to an employee for the purposes of working from home, was stolen from the employee's house. The company reported the incident to the ICO, and also notified the people whose data could have been accessed. The Commissioner found that the company had not taken reasonable steps to avoid the loss of the data when it issued the employee with the unencrypted laptop, despite knowing the amount and type of data that would be processed on it.
Like the Irish Data Protection Acts 1988 and 2003, the UK Data Protection Act contains no specific legal obligation requiring a data controller to either inform a data subject or the Commissioner of an incident involving the loss or improper disclosure of personal data. Rather, the UK Information Commissioner, like the Irish Data Protection Commissioner, has issued best practice guidelines on breach notification which recommend reporting data security breaches to the Commissioner.
In April 2010, however, the UK's Information Commissioner, was given increased powers, to issue monetary penalties of up to £500,000 for serious breaches of the UK Data Protection Act. The above two instances are the first occasions on which such powers have been exercised by the Commissioner.
The Irish Data Protection Commissioner does not have equivalent legal powers, but the Report of the Irish Data Protection Review Group, published earlier this year, recommended the introduction of legislation providing for penalties for serious contraventions of the Data Protection Acts. The Review Group stated in their Report that such legislation would eliminate the current anomaly of penalties for relatively minor breaches of the ePrivacy Regulations, but no penalties for serious breaches of the Data Protection Acts. The Report also noted that failure to have such penalties can lead to a relative neglect of data protection within an organisation.
Despite the current lack of power by the Data Protection Commissioner to issue such financial penalties for breaches of the Data Protection Acts, including of the data security provisions, organisations should ensure they take appropriate security measures; have a data security policy in place, and comply with the Data Security Breach Code of Practice. Such compliance will help minimise potential reputational and financial damage to the organisation concerned and any damage or distress to data subjects in the event of a data security breach incident.