First Data Protection Act fines issued
Data protection has hit the headlines again with news that two bodies have been issued with substantial fines by the Information Commissioner, Christopher Graham, after serious breaches of the Data Protection Act (DPA).
The first two reported fines are as follows:
Firstly Hertfordshire County Council has been issued with a fine of £100,000 after two data protection breaches. Both involved faxing sensitive information to the wrong number. The cases related to child sex abuse and child care proceedings. The Commissioner ruled a monetary penalty of £100,000 was appropriate, due to the fact that the council's procedures failed to prevent two serious breaches. And that after the first breach the council did not take sufficient steps to reduce the likelihood of another breach occurring.
The second fine was issued to A4e. An employee, who worked from home was given an unencrypted laptop to use. The laptop was stolen from the employee's home. The laptop contained personal details for 24,000 people who had used community legal advice centres. The thieves unsuccessfully tried to access the data. The Commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data it contained. As a result A4e has been issued with a fine of £60,000.
The Commissioner said:
'These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.'
Internet links: ICO press release ICO guidance on the rules