The Information Commissioner's Office (ICO) has imposed monetary penalties on Ealing and Hounslow Councils following the loss of two unencrypted laptops.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Ealing Council provides an after-hours service for both councils, operated by nine staff members who work from home.
The two laptops - containing the details of around 1,700 people - were stolen from an employee's home.
Almost 1,000 of these people were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password-protected but were not encrypted, as required by both councils' policies.
The ICO said the breach was a significant risk to the clients' privacy, although no clients had complained and there was no evidence the data had been accessed.
The penalty for Ealing Council was set at £80,000. Hounslow Council's penalty was set at £70,000.
Ealing Council breached the Data Protection Act (DPA) by issuing an unencrypted laptop to a member of staff in breach of its own policies, the ICO said.
This method of working has been in place for several years and there were insufficient checks that policies were being followed or understood by staff, the ICO found.
Hounslow Council breached the DPA by failing to sign a written contract with Ealing Council. Hounslow Council also failed to monitor procedures for operating the service securely.
Deputy commissioner David Smith said, of the four monetary penalties served so far, three concern the loss of unencrypted laptops.
"Where personal information is involved, password protection for portable devices is simply not enough," David Smith said.
He said the higher penalty for Hounslow Council was aimed at making clear that an organisation can not hand over to somebody else the handling of personal information, for which it is responsible, unless they ensure the information is properly protected.
Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO, he said.