home| T: 029 2038 5542| contact us| print page
Penalty notices

Penalty notices

30 Nov 2010

It has long been feared that the higher priority afforded by organisations to DPA compliance in recent years is unsustainable given the current economic climate and the drive in both the public and private to cut "back office costs."

Recent developments suggest however that these fears may be premature.

In a speech delivered at the National Association of Data Protection Officers on 10 November 2010 the Information Commissioner reminded delegates that data protection compliance "is no back office job" and went on to say that the midst of a recession "is not the time to be taking risks with data and with public information."

The speech was swiftly followed on 24 November 2010 by the imposition of the first monetary penalty notices to be issued in the UK for data protection breaches.  The ICO has had powers since April 2010 to impose penalties of up to £500,000 in cases where data protection breaches occur that cause or are likely to cause substantial damage or distress in circumstances where insufficient steps have been taken to avoid the breach. Until now these powers have not been exercised.

In one case Hertfordshire County Council was served with a penalty notice requiring payment of a £100,000 penalty after highly sensitive information relating to childcare litigation was faxed on two separate occasions to members of the public by mistake.

In a second case, an employment services organisation, A4e, received a £60,000 penalty after an unencrypted laptop that had been supplied to a member of staff whose work involved processing the data of 24,000 users of community legal advice centres was stolen.

These cases give a clear indication of the type of data protection breaches that are likely to result in the imposition of financial penalties in future. In both cases any unauthorised access to the data in question appears to have been limited. In the case of Hertfordshire County Council the recipients of the faxed information were served with injunctions to prevent further disclosure; in the A4e case it appears that attempts to access the data held on the stolen laptop were unsuccessful. What appears to have been of particular significance in both cases was the highly sensitive nature of the data, the fact that it ought to have been obvious that unauthorised access to this data would be likely to cause distress and the failure to take reasonable and simple steps to address obvious risks.

Organisations wishing to avoid the imposition of significant fines should pay special attention to the systems they have in place to safeguard sensitive personal data and ensure that all reasonable and proportionate steps are taken to avoid the loss of, or unauthorised access to, data of this kind.