Information Commissioner issues first monetary penalties

The Information Commissioner (ICO) has exercised his new fining power which came into effect on 6th April this year. The power allows the ICO to levy monetary penalties of up to half a million pounds against organisations found to have seriously breached the Data Protection Act.

The first fines are both for security breaches, one being for two misdirected faxes containing sensitive personal data the other for a stolen, unencrypted laptop containing 24,000 records of sensitive personal data.

Misdirected faxes

This case involved two separate incidents whereby employees of Herefordshire County Council (Council) had sent faxes to the incorrect recipient. One contained information about child care proceedings and the other concerned a child sex abuse case which was before the court.  The Council reported both breaches to the ICO who found that, taking into account the damage and distress which could have been caused to the individuals’ concerned, the Council’s procedures did not prevent such serious breaches from occurring. The ICO issued a fine of £100,000 for these breaches.

Stolen unencrypted laptop

In this case, an employee of an employment services company lost an unencrypted laptop which contained 24,000 records of people who had used community legal advice in Leicester and Hull. The laptop was issued to an employee for the purposes of home working but was stolen from the employee’s home. The company informed the ICO of the theft and also informed the individuals whose data could have been accessed. A fine of £60,000 was levied on the company for not taking adequate steps to protect the personal information held on the laptop despite being aware of the distress such information could have caused the individuals concerned if it was inappropriately disclosed.

Comments are closed.