ARTICLE...
New Fines for Breaches
New powers given to the information commissioner last year are helping businesses to take compliance seriously.
In November, the first fines were issued for serious breaches of data protection. Although most businesses wouldn't be directly affected, it certainly sent out a warning message – tighten up on information security or else.
The Information Commissioner's Office (ICO) is the independent official body responsible for the administration the provisions of the Data Protection Act 1998 – and it has always had the power to audit organisations and prosecute for any breaches. However, in April 2010, the body was given new powers to take 'regulatory action' over non-compliance and issue fines as appropriate.
The first fines for serious breaches of data protection were issued against Hertfordshire County Council, which was fined £100,000, and A4e, an employment services company fined £60,000.
In the council's case, two faxes containing highly sensitive information were sent to the wrong recipients. The first was a fax containing details related to child sexual abuse, was sent to a member of the public, rather than a barristers' chambers. 13 days later, and a similar incident occurred – with a fax containing information about care proceedings sent to a barristers' chambers, rather than the intended recipient – the county court.
Even though the council managed to get an injunction to prevent disclosure of the details of the case becoming public, it still received a significant fine.
For A4e, an unencrypted laptop was stolen from an employee's home. Unfortunately it contained personal information relating to 24,000 people and had been issued to the employee for the purposes of working from home.
Christopher Graham, the information commissioner, explained: “It is difficult to imagine information more sensitive than relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.
“The laptop theft, while less shocking, also warranted nothing less than a monetary penalty, as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data.
“The monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You may also be fined up to half a million pounds.”
What is noteworthy in both cases is that steps were taken by the organisations to minimise the potential harm caused by the breach – but this wasn't enough to protect them from fines.
Every business that holds personal information about individuals are required to observe the principles set out in the DPA. The ICO now has teeth and has shown that it isn't afraid to bite those that overstep the mark. It also isn't afraid to tarnish a company's reputation – and that's without considering the massive fines that can be imposed, although it is worth noting the financial penalties are only likely to be imposed if the data controller seriously contravenes the DPA principles or causes substantial damage or distress.
The contravention also needs to be deliberate or the data controller has to know or should have known that there was a risk and failed to take steps to prevent it becoming a problem.
However, despite huge investments in protecting and managing personal data, both these cases are caused by human error, which could have been easily side-stepped had the risk been identified earlier.
The current advice to businesses is to undertake a thorough risk assessment and look at how the personal information they possess could be vulnerable – and then install and impose systems to minimise the likelihood of any future contraventions.
Original article, by Nicola Hoskins, courtesy of CCR.
