Privacy & Information Security Law Blog

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

• Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
• A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.

Christopher Graham, the UK Information Commissioner, said in a statement today:

“It is difficult to imagine information more sensitive than that relating to a child sex abuse case.  I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.  The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data.”

The breaches that are the subject of the first fines reflect the very ordinary circumstances of the majority of data breaches.  Sending a fax or email to the wrong recipient is a common mistake.  In Hertfordshire’s case, however, the faxes contained information concerning a child sexual abuse case on the first occasion, and a domestic violence case on the second.  A careless mistake – made twice in two weeks – compromised extremely sensitive personal information.  The theft of an unencrypted laptop, which resulted in a fine of £60,000 for A4e, is again an all too common occurrence.  There is no excuse for failing to encrypt laptops, but this mistake also highlights the risks to organizations that fail to make adequate provision for employees who work remotely.  The A4e employee in question downloaded personal data relating to 24,000 people to her company-issued laptop so that she could work remotely.  A4e had undertaken a risk assessment and was aware of the need to encrypt its laptops, but had not completed the work.

In the UK, not all breaches trigger a fine.  A fine may be imposed only where (1) the violation, by its nature, is likely to cause substantial damage or distress, and (2) the violation was deliberate, or the controller was recklessly indifferent with regard to whether the violation would occur and took no steps to prevent it.

In determining the appropriate fine amount, the Information Commissioner must take into account the nature and effect of the violation, behavioral issues (in the Hertfordshire case this included the fact that the council failed adequately to address the risk following the first incident), and the impact of the fine on the controller (i.e., the controller’s ability to pay).

Although the UK Information Commissioner’s power to impose fines extends to all data controllers, whether in the public, private or third sectors, it is somewhat surprising that a public sector entity has been fined.  Hertfordshire County Council’s breaches were serious, but it may anger some to realize that, in a time of public sector cutbacks, local council taxes will be spent to pay the fine.

The penalties will be paid into the Consolidated Fund, and will not be retained by the Information Commissioner’s Office.  The Commissioner has offered a 20% discount for early payment.  Hertfordshire County Council and A4e have the right to appeal the fines.