14 DAY TRIAL // The UK Information Commissioner's Office (ICO) fined two organizations for serious data breaches, marking the first monetary penalties served for Data Protection Act violations.
At the beginning of April, the ICO was given the power of issuing fines of up to £500,000 for data breaches, depending on their seriousness, the nature of the data involved, the duration of the breach and the number of affected individuals.
The Information Commissioner announced today that he first two such penalties, of £100,000 and £60,000, were served to the Hertfordshire County Council and employment services company A4e, respectively.
The Hertfordshire County Council was fined after its employees faxed highly sensitive data to wrong recipients on two separate occasions.
The breaches occurred back in June and originated in the council’s childcare litigation unit. The first incident involved documents related to a child sexual abuse case being sent to a member of the public instead of barristers' chambers.
Thirteen days later, a second fax containing information regarding the care proceedings of three children, previous convictions of two individuals and domestic violence records, was misdirected to the barristers’ chambers instead of Watford County Court.
The ICO decided that a £100,000 fine was in order because the data could have caused substantial damage and because the council failed to prevent the second breach after learning of the first one.
The A4e data breach involved a laptop containing the unencrypted personal details of 24,000 individuals who used community legal advice centers in Hull and Leicester, being stolen in June.
The computer was given to one of the company's employees for the purpose of working at home and data stored on it included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
ICO ruled that a £60,000 was appropriate because the company did not take the necessary precautions to secure the data despite being aware of its highly sensitive nature.
"These first monetary penalties send a strong message to all organisations handling personal information," said [pdf] Information Commissioner, Christopher Graham.
"Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds," he warned.