ICO uses its powers to fine for the first time

Employment services company A4e and Hertfordshire County Council fined for exposing sensitive data

The Information Commissioner's Office (ICO) today finally used its power to fine organisations for breaching the Data Protection Act (DPA), stinging Hertfordshire County Council for £100,000 and employment services company A4e for £60,000.

The ICO was given the power to issue fines of up to £500,000 back in April but has until now declined to exercise it.

A4e was fined for the loss of an unencrypted laptop that contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

The data breach occurred in June 2010 when the unencrypted company laptop was stolen from an employee's home.

After reporting the incident to the ICO, the company notified the people whose data could have been accessed.

Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence. An unsuccessful attempt to access the data was made shortly after the laptop was stolen, the ICO said.

The ICO ruled that a fine of £60,000 was appropriate, given that access to the data could have caused substantial distress. It also argued that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

A second penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. One of the faxes concerned a child sexual abuse while the other contained details of care proceedings.

"The A4e laptop theft, while less shocking than the sex abuse case, also warranted a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data," said information commissioner Christopher Graham in a statement.

"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds," Graham added.

Mark Fullbrook, director UK and Ireland at Privileged Identity Management (PIM), Cyber-Ark said of the fines: "The industry has been nervously waiting to hear which organisation would first fall victim to the ICO's increased powers, and now we know. People will always need to share information, that isn't going to change. So the onus is on organisations establishing solutions that can effectively manage this risk while providing a secure environment in which to share data."

The fines follow heavy criticism of the ICO for not fining Google following the Street View debacle earlier this month, which saw the ICO accuse the software giant of seriously breaching the DPA by collecting personal data via Wi-Fi. However, the body was unwilling to levy a fine. Critics argued that this data could have been used for commercial purposes.