First Fines for Breaches in Data Protection

November 24, 2010

Further to our article entitled ‘Data Protection Breaches to Result in up to £500,000 Fine’ (April 2010), the first monetary penalties have been served by the Information Commissioner for serious breaches of the Data Protection Act.

The Information Commissioner, Christopher Graham, has ruled that Hertfordshire County Council must pay a penalty of £100,000 for two serious breaches, which occurred in June 2010, both involving employees faxing sensitive information, one involving child sexual abuse and the other involving care proceedings, to the wrong recipients. In the first case, the fax was sent to a member of the public instead of a barristers’ chambers and in the second case, which occurred 13 days after the first incident, the fax was sent to barristers’ chambers not connected with the case instead of Watford County Council. In justifying the penalty, the Commissioner ruled that access to this data could have caused substantial damage and distress and that sufficient steps to reduce another breach were not taken after the first incident.

The second penalty issued by the Information Commissioner is for £60,000 for employment services company A4e’s loss of an unencrypted laptop. An employee of the company was given the laptop in order to complete work at home. Personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester was available on the laptop including details such as full names, dates of birth, postcodes, information about alleged criminal activity and if the individual had been a victim of violence. An attempt to access the data after the laptop was stolen failed and the company reported the incident to the Information Commissioner’s Office. Those people whose data could have been retrieved were also informed. Again the Commissioner ruled that access to the data could have caused substantial distress and that reasonable steps were not taken to protect the information despite knowing the amount and type of data that could be accessed on the laptop.

These cases highlight that it is essential for businesses to be aware of the Data Protection Act and to implement a policy to protect personal data.

CFR have extensive experience in carrying out Data Protection Audits, drafting Data Protection policies and data processing contracts. For further information please contact Karen Blair.

Please note: The content of this article is for information purposes only and further advice should be sought from a professional advisor before any action is taken.
Cleaver Fulton Rankin, 50 Bedford Street, Belfast, BT2 7FW
T: 028 9024 3141, Fax: 028 9024 9096, www.cfrlaw.co.uk
A legal alliance Matheson Ormsby Prentice, Dublin & Cleaver Fulton Rankin, Belfast