14 DAY TRIAL // The UK Information Commissioner's Office (ICO) has fined two London councils for violations of the Data Protection Act after they lost two laptops with unencrypted personal information.
These represent the third and fourth monetary penalties served by the ICO since its was given such powers in April last year.
The first two fines were issued to the Hertfordshire County Council and employment services company A4e in November 2010.
A4e was fined for loosing an unencrypted laptop with the personal details of 24,000 individuals who used community legal advice centers.
The new organizations served with monetary penalties are the Ealing Council, which received a £80,000 fine and Hounslow Council, with £70,000.
The data breaches are related to an out-of-hours service operated by Ealing Council on behalf of both institutions, which involves staff operating with people's personal details on laptops at home.
Two of these laptops, containing the details of around 1,700 individuals, were stolen from a council employee's home.
They were password protected, but the data stored on them was not encrypted, which is in violation of both the Data Protection Act and the policies of the two councils.
"Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough," said Deputy Information Commissioner, David Smith. [pdf]
"Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way," he added.
Both councils have notified the affected individuals, have made changes to their data handling policies and agreed to an audit from the ICO.