ICO vows to impose heavy fines for major data breaches

But local councils get off with warning

T-Mobile could face heavy fines if found guilty of major data breaches again

The Information Commissioner’s Office (ICO) has said that it will reserve its new-found power to impose fines of up to £500,000 if cases similar to that involving T-Mobile in November 2009 were to arise again. The ICO has been investigating the mobile network provider after employees allegedly sold details relating to customers’ mobile phone contracts, including their contract expiry dates.

It is alleged that the information was being sold on to the service provider’s competitors, whose agents were using the material to cold-call customers prior to contract expiry dates to offer them an alternative contract.

Under a new Ministry of Justice ruling, effective from April 6, the ICO is now able to fine businesses and local councils up to £500,000 – 100 times more than the previous maximum fine of £5,000.

The ICO has recently found three local councils to be in breach of the Data Protection Act, after they each lost valuable information about members of the public. However, rather than imposing heavy fines, the ICO has opted to make the councils sign an undertaking.

The ICO has said that it has not taken any further actions and insists that although its new powers allow it to impose hefty fines, all of its actions will be “proportionate and on a case-by-case” basis. It did admit, however, that if a case such as T-Mobile’s were to arise again, it would look to exploit the new powers to impose fines of up to £500,000.

Warwickshire County Council was found to be in breach of the Data Protection Act after two laptops were stolen from its offices and a memory stick was lost. The ICO has warned the council as the laptops were not encrypted or locked away securely.
St Albans City and District Council was also found to be in breach of the Data Protection Act after it suffered a theft. A laptop which contained postal voters’ records was stolen, and although the personal information was password protected, the information was not encrypted and was still on the laptop when it was no longer required. It was stolen from a desk along with three other laptop computers belonging to the council.

The Highland Council has also been found to be in breach of the Data Protection Act after personal data relating to several members of one family was inadvertently disclosed to another unrelated individual. The data contained sensitive information relating to the physical and mental health of individuals.

“When organisations store large volumes of personal details on portable computers, encryption is essential,” said Sally-anne Poole, head of enforcement and investigations at the ICO.