Information Commissioner sends "strong message" to data offendersby
The Information Commissioner has handed out fines to two organisations for security breaches relating to customers’ personal information in a bid to "send a strong message" to offenders.
Sheffield-based A4e, which provides information about employment and starting a business, was fined £60,000 for losing an unencrypted laptop, while Hertfordshire County Council was fined £100,000 for twice faxing details of vulnerable children to the wrong people.
Information Commissioner Christopher Graham, who was given the power to award financial penalties for data protection breaches in April this year, said: "These first monetary penalties send a strong message to all organisations handling personal information – get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
The A4e incident took place in June, after the company provided an employee with an unencrypted laptop so that they could work from home. The computer held the personal information of 24,000 people who had used community legal advice centres in Hull and Leicester, but was subsequently stolen from the staff member’s house. An unsuccessful attempt to access the data was made shortly afterwards.
A4e reported the incident to the ICO and notified the people and the centres concerned. But the Commissioner ruled that the firm did not take reasonable steps to avoid data loss. Therefore, the situation "warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data".
A4e chief executive Andrew Dutton apologised, saying to the BBC: "This incident occurred as a result of a breach in our security procedures. It also came at a time when A4e was rolling out a new, robust company-wide set of security controls and procedures."
The data breaches at Hertfordshire County Council were deemed even more serious, however. Again in June, employees in the local authority’s childcare litigation unit accidentally sent one fax to a member of the public rather than a barrister’s chambers. It subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or the circumstances of the data breach.
A second fax, sent 13 days later, contained information relating to the care proceedings of three children, previous convictions of two individuals, domestic violence records and care professionals’ opinions of the cases. It was sent to a barristers’ chambers unconnected with the case rather than the intended target, Watford County Court.
A Council spokesperson said it accepted the Commissioners findings. "We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence," he added.