ICO hits Ealing and Hounslow Councils with £80k and £70k penalties

The Information Commissioner’s Office has fired another warning to public bodies about the loss of unencrypted laptops after hitting the London boroughs of Ealing and Hounslow with fines running into tens of thousands of pounds for breaching the Data Protection Act.

The monetary penalties related to the theft of two laptops containing sensitive personal information from the home of an employee of an out-of-hours service run by Ealing Council on behalf of both authorities.

Members of the team receive contact from a variety of sources, the ICO said, and use the laptops to record information about individuals.

The stolen laptops contained details of 1000 of Ealing’s clients and 700 of Hounslow’s clients. The laptops were password protected but unencrypted, a breach of the councils’ policies on data protection.

According to the ICO, there was “no evidence to suggest that the data held on the computers has been accessed and no complaints from clients have been received by the data controllers to date but there was nevertheless a significant risk to the clients’ privacy”.

Ealing has been handed a monetary penalty of £80,000, with the ICO saying that issuing an unencrypted laptop to a member of staff was a breach of the DPA. The watchdog criticised the authority for having this method in place for years, and for failing to carry out sufficient checks that relevant polices were being followed or understood by staff.

Although the service was run by Ealing, Hounslow Council was still served with a £70,000 monetary penalty. The ICO pointed out that the authority had breached the DPA by failing to have a written contract in place with Ealing. Hounslow also failed to monitor Ealing Council’s procedures for operating the service securely, the watchdog said.

Deputy Commissioner, David Smith, said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.

“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected.

“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

Both local authorities have contacted affected individuals, put “significantly improved” policies in place for information security and agreed to consider an audit by the ICO, the watchdog said.

The penalties imposed on Ealing and Hounslow come just months after the ICO slapped Hertfordshire County Council with a £100,000 penalty after employees in its childcare litigation unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients.

Employment services organisation A4e was also handed a £60,000 penalty for an unrelated incident involving the loss of an unencrypted laptop relating to users of community legal advice centres in Hull and Leicester.