Information Commissioner issues first fines for serious data protection breaches

The first fine of £100 000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case involved a child sexual abuse court case and the second involved details of care proceedings.

The second fine of £60 000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24 000 people who had used community legal advice centres in Hull and Leicester.

"It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks," said Information Commissioner Christopher Graham.

The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data, he said.

"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds", said Graham.

The Hertfordshire County Council breaches occurred in June 2010 when employees in the council's childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).

The first misdirected fax was meant for barristers' chambers and was sent to a member of the public. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later by another member of the council's childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions. The fax was mistakenly sent to barristers' chambers unconnected with the case. The intended recipient was Watford County Court.

The commissioner ruled that a monetary penalty of £100 000 was appropriate as the council's procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress. After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.

The A4e data breach also occurred in June 2010 following the company issuing an unencrypted laptop to an employee for the purposes of working at home. The laptop contained sensitive personal information when it was stolen from the employee's house.

The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. An unsuccessful attempt to access the data was made shortly after the laptop was stolen. Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

A4e reported the incident to the ICO. The company subsequently notified the people whose data could have been accessed.

The commissioner ruled that a monetary penalty of £60 000 was appropriate as access to the data could have caused substantial distress. A4e also did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?