Ealing and Hounslow has been slapped with stiff financial penalties after losing laptops that contained sensitive personal data.
The Information Commissioner’s Office fined two councils, for failing to ensure the laptops were encrypted. Ealing Council was hit with a £80,000 fine, whereas Hounslow Council was charged £70,000.
It seems that Ealing Council provides an out of hours service on behalf of both councils, by a team of nine staff who work from home. According to the ICO, two laptops containing the details of around 1,700 individuals were stolen from an employee’s home. Almost 1,000 of the individuals were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password protected but unencrypted – despite this being in breach of both councils’ policies.
The ICO said that there is no evidence that the data on the computers had been accessed, and no complaints have been received from the affected clients, but that there was still a significant risk to privacy.
“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected,” he said.
“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”
But some experts feel that the fines needed to be bigger to drive home the message.
“Despite the ICO reporting on incidents such as these and imposing fines, the message on the importance of encryption is clearly not getting through,” said Chris McIntosh, CEO of encryption specialist Stonewood.
“Following the breaches of Barnet and Wigan councils at the end of last year you would think that other councils would take note,” he said. “That a further 1,700 personal details have been put at risk is clearly not acceptable and fines of 80,000 and 70,000, while significant, do not go far enough to stamp this out. Valuing each person’s details at less than £50 is clearly not enough of a deterrent.”
Stonewood’s McIntosh said that the ICO has the power to impose fines of up to half a million, which would clearly serve as a powerful message. “When a laptop can be encrypted for as little as £200 it is clearly not acceptable to continue to ignore the Data Protection Act.”
But another expert welcomed the ICO’s tough action.
“It’s good to see the ICO stick to its word and continue to fine those in serious breach of the Data Protection Act,” said Mark Fullbrook, director UK and Ireland at information security expert Cyber-Ark. “What’s particularly interesting in this case though is that Ealing Council actually had a policy in place requiring all data to be encrypted – something which they’d evidently failed to roll out organisation-wide.”
“Given both councils chose to ignore the warning signs, it’s quite clear that more needs to be done to ensure that organisations take data protection more seriously,” he said. “Fines certainly act as a wake-up call to those involved.”
“With four fines already under its belt, the ICO seems set to make its point – issuing a warning only last week to local councils threatening prosecution for failure to implement proper data control procedures,” Cyber-Ark’s Fullbrook said.
Certainly the ICO seems to have been getting a lot tougher of late. Indeed it has been an eventful time for the ICO after it went through a period of not issuing any fines at all, despite discovering numerous acts of data loss. And last year it was attacked by a Tory MP over the way it handled the Google WiSpy incident.
Last November, the ICO issued its first data loss fines. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e has been fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.
In December the ICO issued its first demand under the Freedom of Information Act, after asking the University of East Anglia (UEA) to sign a commitment to improve the way it responds to Freedom of Information (FoI) requests.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
The vicarious nature of the fine which Hounslow counsel has received gives a clear signal to UK organisations that your data is your own responsibility – with no exceptions. The penalties associated with such data losses will not be considered too harsh by anyone who has taken some time to consider why the Data Protection Act exists, and to look at the seriousness of losing personal data. Particularly if that data ultimately belongs to someone else.
Organisations with outsourced IT are now having to think very carefully about the nature of the data on a broken device before they can allow it to leave their premises in the hands of a third party. Likewise, the service organisation runs the same risk and needs to consider the data security policy of their customer. Should breaches arise, pointing the finger at other parties involved is no defence.