In November 2010, the Information Commissioner handed down the first monetary penalty under the Data Protection Act 1998 (DPA). In doing so, the Information Commissioner's Office (ICO) has given a very clear signal to all public authorities in relation to the priority that must be given to data security.
The ICO fined Hertfordshire County Council £100,000 for two breaches of the DPA. The Council had on two occasions faxed highly sensitive information relating to a sexual abuse case to incorrect fax numbers. Although measures had been put in place by the Council to ensure that data was transferred securely, two weeks after the first breach sensitive information was again faxed to a wrong number. The ICO was notified of both breaches and determined that there had been a "serious contravention" of the DPA which warranted the first monetary fine to be levied under the DPA. An employment services company was also fined £60,000 after an unencrypted laptop containing the personal data of 24,000 individuals was stolen from the home of an employee.
The Law
It had long been suggested that the DPA provided the ICO with very little power to deal with serious breaches of the DPA. In January of last year, Parliament approved a statutory amendment to the DPA which gave the ICO the ability to fine organisations up to half a million pounds for a serious contravention of the Data Protection principles. Sections 55A and 55B of the DPA (introduced by the Criminal Justice and Immigration Act 2008) came into force in April 2010 and provides that a monetary penalty may be levied where a Data Controller has seriously breached the Data Protection principles and the breach was of a kind likely to cause "substantial damage or substantial distress". Furthermore, the breach must either have been deliberate or the Data Controller should have known that there was a risk of a breach and did not take "reasonable steps" to prevent it.
Impact of decision
In relation to Hertfordshire CC, the Information Commissioner sets out in the Monetary Penalty Notice that his decision to fine the Council was designed to "promote compliance" with the DPA and all organisations will therefore need to take heed of this enforcement. The ICO confirms that his case was seen as "an opportunity to reinforce the need for data controllers to review the sending of confidential and sensitive personal data".
The ICO states very clearly that the fine levied on Hertfordshire CC will be a "precedent by which future notices will be judged". As such, all organisations who hold and process sensitive personal data should take this opportunity to review how information is stored, shared and destroyed to ensure compliance with the DPA. Policies, procedures and risk assessments must be in place to demonstrate that there are sufficient organisational measures to safeguard data security and to ensure that unauthorised or unlawful disclosures do not take place. Staff will also need to be reminded of their responsibilities and where a breach does occur, organisations must be able to demonstrate that prompt effective remedial action has been taken.
It is now clear that the ICO is willing to use its new powers, and with the public sector squarely within its sights, all organisations will need to ensure that information governance issues are made a priority going forward.