ICO Issues First Data Loss Fines

The Information Commissioner has issued two fines for data loss and breaches of the Data Protection Act, bringing to an end months of speculation over when it would use powers it gained in April, to penalise negligent organisations.

Hertfordshire County Council has been ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e has been fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

Fax revelations get first big fine

Hertfordshire’s fine is for information revealed through fax messages, rather than more modern technology. On two occasions, the council sent faxes to the wrong recipients, revealing personal details of two sex abuse cases.

The first fax went to a member of the public instead of a barrister, while the second one went to a barrister when it should have gone to Watford County Council. Both revealed details of child abuse cases, including previous convictions, case workers’ opinions and childcare details.

In the first case, the council obtained a court injunction preventing further spread of the information, and reported itself to the Information Commissioner’s Office. “We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence,” said a council statement.

Stolen laptop warrants penalty

“It is difficult to imagine information more sensitive than that relating to a child sex abuse case,” said the Commissioner, Christopher Graham (left). “I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.”

Although the ICO has asked for jail sentences for offenders, it  has so far been hesitant to issue fines, despite a regular stream of lost USB sticks, hard drives and laptops which expose people’s personal data. The NHS has been particularly careless with people’s details, according to ICO information.

The ICO was branded “Keystone Kops” by Conservative MP Robert Halfon for its failure to crack down on Google over the  high-profile WiSpy incident, in which some Wi-fi data was accidentally snooped by Street View cars.

Meanwhile, a worker at Sheffield-based A4e had a laptop stolen from his home, where he had been working on records of 24,000 people who used legal advice centres in Hull and Leicester. The data was unencrypted, and the thief made an attempt to access it.

A4e also reported itself to the ICO, and notified people whose data might have been compromised.

Mr Graham was less concerned about the A4e breach, but said it “also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data”.