ICO hits Ealing and Hounslow councils with £150,000 fines for laptop theft


ICO hits Ealing and Hounslow councils with £150,000 fines for laptop theft

Warwick Ashford

The Information Commissioner's Office (ICO) has imposed monetary penalties on Ealing and Hounslow Councils following the loss of two unencrypted laptops.

The ICO said the loss represents a serious breach of the Data Protection Act. Since April 2010, the ICO can levy penalties up to £500,000 for such breaches.

Ealing Council provides an after-hours service for both councils, operated by nine staff members who work from home.

The two laptops - containing the details of around 1,700 people - were stolen from an employee's home.

Almost 1,000 of these people were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password-protected but were not encrypted, as required by both councils' policies.

The ICO said the breach was a significant risk to the clients' privacy, although no clients had complained and there was no evidence the data had been accessed.

The penalty for Ealing Council was set at £80,000. Hounslow Council's penalty was set at £70,000.

Ealing Council breached the Data Protection Act (DPA) by issuing an unencrypted laptop to a member of staff in breach of its own policies, the ICO said.

This method of working has been in place for several years and there were insufficient checks that policies were being followed or understood by staff, the ICO found.

Hounslow Council breached the DPA by failing to sign a written contract with Ealing Council. Hounslow Council also failed to monitor procedures for operating the service securely.

Deputy commissioner David Smith said, of the four monetary penalties served so far, three concern the loss of unencrypted laptops.

"Where personal information is involved, password protection for portable devices is simply not enough," David Smith said.

He said the higher penalty for Hounslow Council was aimed at making clear that an organisation can not hand over to somebody else the handling of personal information, for which it is responsible, unless they ensure the information is properly protected.

Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO, he said.

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy