ICO Hits Two Councils With £150,000 Fine
Two councils have been hit with hefty fines for losing unencrypted laptops containing sensitive personal data
Ealing and Hounslow has been slapped with stiff financial penalties after losing laptops that contained sensitive personal data.
The Information Commissioner’s Office fined two councils, for failing to ensure the laptops were encrypted. Ealing Council was hit with a £80,000 fine, whereas Hounslow Council was charged £70,000.
It seems that Ealing Council provides an out of hours service on behalf of both councils, by a team of nine staff who work from home. According to the ICO, two laptops containing the details of around 1,700 individuals were stolen from an employee’s home. Almost 1,000 of the individuals were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password protected but unencrypted – despite this being in breach of both councils’ policies.
Encryption Lapse
The ICO said that there is no evidence that the data on the computers had been accessed, and no complaints have been received from the affected clients, but that there was still a significant risk to privacy.
“Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough,” warned deputy ICO commissioner David Smith.
“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected,” he said.
“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”
Bigger Fines Needed
But some experts feel that the fines needed to be bigger to drive home the message.
“Despite the ICO reporting on incidents such as these and imposing fines, the message on the importance of encryption is clearly not getting through,” said Chris McIntosh, CEO of encryption specialist Stonewood.
“Following the breaches of Barnet and Wigan councils at the end of last year you would think that other councils would take note,” he said. “That a further 1,700 personal details have been put at risk is clearly not acceptable and fines of 80,000 and 70,000, while significant, do not go far enough to stamp this out. Valuing each person’s details at less than £50 is clearly not enough of a deterrent.”
Stonewood’s McIntosh said that the ICO has the power to impose fines of up to half a million, which would clearly serve as a powerful message. “When a laptop can be encrypted for as little as £200 it is clearly not acceptable to continue to ignore the Data Protection Act.”
But another expert welcomed the ICO’s tough action.
“It’s good to see the ICO stick to its word and continue to fine those in serious breach of the Data Protection Act,” said Mark Fullbrook, director UK and Ireland at information security expert Cyber-Ark. “What’s particularly interesting in this case though is that Ealing Council actually had a policy in place requiring all data to be encrypted – something which they’d evidently failed to roll out organisation-wide.”
“Given both councils chose to ignore the warning signs, it’s quite clear that more needs to be done to ensure that organisations take data protection more seriously,” he said. “Fines certainly act as a wake-up call to those involved.”
ICO Clampdown?
“With four fines already under its belt, the ICO seems set to make its point – issuing a warning only last week to local councils threatening prosecution for failure to implement proper data control procedures,” Cyber-Ark’s Fullbrook said.
Certainly the ICO seems to have been getting a lot tougher of late. Indeed it has been an eventful time for the ICO after it went through a period of not issuing any fines at all, despite discovering numerous acts of data loss. And last year it was attacked by a Tory MP over the way it handled the Google WiSpy incident.
Last November, the ICO issued its first data loss fines. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e has been fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.
In December the ICO issued its first demand under the Freedom of Information Act, after asking the University of East Anglia (UEA) to sign a commitment to improve the way it responds to Freedom of Information (FoI) requests.