First Data Protection Act fines issued following UK data breaches

The Information Commissioner's Office has penalised two organisations a combined £160,000, the first time fines have been issued for Data Protection Act violations.

The Information Commissioner's Office (ICO) has imposed fines on two organisations following UK data breaches that occurred in June. These are the first fines to be handed down by the ICO since it acquired new punitive powers in April 2010.

A £60,000 fine was imposed on A4e (Action for Employment) Ltd., a Sheffield employment services company, following the theft of an unencrypted company-owned laptop from the home of an employee.

In this case, the employee had been given the laptop to use at home. In order to do her work, she had copied 24,000 A4e clients' personal records, which were stored unencrypted on the machine. The employee suffered a burglary and the company data was stolen along with other possessions.

"The data controller should have encrypted the laptop computer before it was issued to the employee rather than leave it to the employee to arrange encryption," said the ICO in its monetary penalty notice to A4e.

The error was further aggravated because even though the company had purchased SonicWALL Inc.'s NetExtender VPN product for secure remote working and deployed it for some employees, it was not available to all staff. In this circumstance, the ICO took the view that although the employee broke company policy by copying the records, the data controller should have realised that file copying would inevitably take place for people to do their work.

"The data controller must have known about the problems that home workers were experiencing and that in practice the employee would have to load personal data onto her laptop computer in the absence of remote access," it concluded.

At the time of the loss, the company policy was that any data stored temporarily on a laptop computer should be encrypted. However, a staged introduction of encryption began in March 2009, though had not been completed at the time of the breach; the affected laptop had not yet been part of the encryption rollout.

The ICO took the view that the data controller knew the risks but chose to ignore them when handing out the laptop to the employee. "The fact that the data controller had these policies and processes in place demonstrates that it recognised the risks of a security breach," it said in the judgement.

The ICO judgement also emphasized the importance of formal security awareness training. Although A4e had detailed policies governing the use of PCs and the storage of personal data, and that these were issued to all employees when they joined the company, it found that "There is no record of the employee undergoing any relevant induction training."

In the second case, Hertfordshire County Council was fined £100,000 after staff in its childcare litigation department faxed confidential documents to the wrong recipients on two separate occasions in June of this year. The ICO took the view, in its monetary penalty notice to Hertfordshire County Council, that the council should have taken strong action after the first mistake happened, given the sensitivity of the information involved, but failed to do so.

On April 6, 2010, the Information Commissioner's Office (ICO), the country's privacy watchdog, was granted the power to enforce Data Protection Act fines to organisations that breach the act's terms. The ICO is also able to carry out audits on government departments suspected of having poor security controls.

Information Commissioner Christopher Graham said in a statement: "These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

William Malcolm, a data protection lawyer at London law firm Pinsent Masons LLP, said the fines should remind companies of the dangers of poor security. "Whilst these breaches are serious, they are not unique or unusual," he said. "Many organisations will be looking at the process failings in these cases and thinking critically about their own organisational risk."

Read more on Data breach incident management and recovery