The Information Commissioner’s Office (ICO) has for the first time taken advantage of new powers it was issued with earlier in the year, to level fines against private and public organisations which have been held responsible for data loss or theft.
In an announcement made this week, the ICO said that a £100,000 fine is being put at the feet of Hertfordshire County Council, in response to a pair of significant data losses and security breaches.
The events in question occurred in June this year with private data accidentally leaking out of the litigation unit dealing with childcare cases for the council. Two separate faxes containing incorrect details exposing data relating to unrelated individuals were issued to the wrong recipients, with the council notifying the ICO on both occasions.
The incidents occurred within two weeks of one another, with one fax going awry and ending up on a private citizen’s machine, after which the council attempted to cloak the details of the mistake from the media.
The second incorrectly sent fax with data of three local children, along with information about people who had been convicted of domestic violence, turned up in the office of a barrister who was not involved in the particular case.
The ICO concluded that a fine of £100,000 was an adequate penalty in the face of these data loss incidents, which were considered to be serious in nature and potentially harmful to the members of the public who were exposed as a result.
£60,000 in fines have also been charged to a private company called A4e, which lost the private data of 24,000 citizens when a laptop which lacked encryption was stolen from an employee of this employment services firm, in the summer of 2010.
A4e took steps at the time to inform the affected parties and also report the data loss to the ICO. The regulator concluded that the firm had not behaved responsibly when the worker was allowed to use a laptop which lacked proper encryption, that might have protected the data after its theft.
Some experts welcome the news that the ICO has begun to throw its weight around, although others are concerned that this is still not enough of a deterrent, with one identifying that A4e has been made to pay under £3 per lost entry.
