Hertfordshire County Council has been hit with a £100,000 penalty by the Information Commissioner after two incidents where employees in its childcare litigation unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients.
It is the first time that the Information Commissioner has levied monetary penalties for serious breaches of the Data Protection Act, under new powers that came into force in April 2010. Employment services organisation A4e has also been handed a £60,000 penalty for an unrelated incident.
Hertfordshire had reported the breaches, which occurred in June 2010, to the ICO. One case involved child sexual abuse and was before the courts; the other involved details of care proceedings.
In the first incident, a fax intended for a barristers’ chambers was received by a member of the public. Hertfordshire then obtained a court injunction prohibiting any disclosure of the facts of the case or the circumstances of the data breach.
Thirteen days later, a second fax was misdirected by another member of the council’s childcare litigation unit. It was meant for Watford County Court but was sent by mistake to barristers’ chambers unconnected with the proceedings.
The ICO said this fax contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals’ opinions.
The Commissioner ruled that a £100,000 penalty was appropriate, “given that the Council’s procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress”.
The watchdog also said that after the first breach occurred, Hertfordshire “did not take sufficient steps to reduce the likelihood of another breach occurring”.
A spokesman for Hertfordshire said the council accepted the Commissioner's findings. He added: "We are very sorry that these mistakes happened and have put processes in place to try to prevent any recurrence."
A4e was served with a monetary penalty of £60,000 after it lost – also in June 2010 – an unencrypted laptop containing personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
The laptop was stolen from an employee’s house and there was an unsuccessful attempt to access the data after the laptop was stolen. Information contained on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence, the ICO said.
A4e reported the incident and notified the ICO, who – on deciding the appropriate penalty – ruled that access to the data could have caused “substantial distress”. The organisation had also failed to take reasonable steps to avoid the loss of the data.
Information Commissioner, Christopher Graham, said: “It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people’s privacy was potentially compromised by the company’s failure to take the simple step of encrypting the data.
“These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds.”
Paula Barrett, partner at law firm Eversheds, said the fact that a public sector organisation was one of the first recipients of a fine was “no accident of fate, especially given that a large proportion of those data security breaches reported to the ICO each year emanate from this sector”.
She added: “If nothing else, the news dispels any mistaken belief that a public sector body would not receive a fine because of the current constraints on the public purse – however politically sensitive that may be just now.”
The selection and fining of Hertfordshire CC and A4e by the ICO posed some interesting questions, Barrett suggested, particularly when there have been other, larger scale data security breaches by high profile businesses that have thus far escaped this kind of penalty.
She said: “Strategic thought has undoubtedly been given when deciding which of the many cases seen by the ICO it would choose to apply the new penalties to. Consequently the choice in these cases does provide some tangible guidance as to the approach the ICO may take in the future and the type of incident which might trigger the issue of a penalty notice.
“The fact that failure to encrypt a laptop or mobile device is involved in the second of these cases, the fine given to A4e, is perhaps not surprising. It has been pretty clear from the tone of enforcement notices and other statements made by the ICO since the HMRC incident that patience with this type of breach has run out. Organisations who have not already done so should take this as a warning to adopt the simple encryption of mobile devices holding huge data sets or sensitive details as standard practice now, or face the consequences.”
Barrett acknowledged that cases of human error – as occurred with Hertfordshire – are always more difficult to combat. “Nonetheless employers should try to mitigate the risk of human error by reminding staff of their obligations and the importance of care in this area, especially when dealing with sensitive details,” she said.
The Eversheds partner also advised organisations to take a new look at privacy training and raising awareness. She added: “It is also interesting to note that both data controllers fined here proactively reported the breach to the ICO. As more details emerge it will be interesting to see whether this was taken into consideration in determining the size of the penalties.”