Legal Updates

Data Protection, Organisations are being fined for violating the Data Protection Act

 

In April 2010 the UK Information Commissioner’s Office (“ICO”) was bestowed with extended enforcement powers designed to deter personal data security and other breaches.

 

Fines were issued for the first time by the ICO on the 24th November 2010. These were as follows:-

 

• Hertfordshire County Council received a penalty of £100,000 after negligently releasing sensitive personal information to unintended recipients on two occasions.

 

The council accidentally sent 2 faxes to wrong recipients. The first was meant for barristers’ chambers and was sent to a member of public. The second was mistakenly sent to barristers’ chambers unconnected with the case.

 

The ICO felt the level of fine sufficiently reflects the fact that the Council’s procedures failed to stop two serious breaches  and the council did not take sufficient steps to reduce the likelihood of another breach occurring.

 

• An employment services company received a fine of £60,000 following the theft of an unencrypted laptop containing sensitive information on thousands of individuals.

 

The laptop contained information relating to people who had used community legal advice (names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence).

 

The organisation notified the people whose data could have been accessed but the ICO felt the level of fine reflected the fact that the organisation did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

 

ICO Powers

 

The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. Dependent on circumstances, the powers the ICO has at its disposal include:-                  

 

§  serving information notices requiring organisations to provide the ICO with specified information within a certain time period;

 

§  serving enforcement notices requiring organisations to take specified steps in order to ensure they comply with the law;

 

§  issuing monetary penalties of up to £500,000 for serious breaches of the Data Protection Act;

 

§  conducting audits to assess whether organisations are processing personal data in accordance with good practice;

 

§  reporting to Parliament on data protection issues of concern; and

 

§  prosecuting those who commit criminal offences under the Act. The ICO prosecutes individuals and organisations for specific breaches of the Act such as the illegal trading of personal data and non-notification.

 

Power to issue fines

 

The ICO can order organisations to pay penalties of up to £500,000 for serious breaches of the data protection principles which may cause damage or distress to data subjects.

 

Previously, the ICO only had the power to fine organisations up to £5,000 for serious breaches and in any event, were reluctant to use a heavy handed approach to enforcing compliance.

 

Procedure

 

• ICO sends a notice of intent to issue a monetary penalty notice to an organisation;
• The organisation has the opportunity to respond to the notice;
• The ICO then considers the response;
• If it decides to impose a penalty, the organisation may get a 20% discount by paying in full within 28 days of the notice.

 

In deciding whether to impose the full penalty, the ICO assesses breaches according to various criteria, including:

 

• Seriousness of the breach;
• Likelihood of significant damage;
• Likelihood of distress to affected individuals;
• Whether the breach was deliberate or negligent; and
• What action the organisation had taken to prevent breaches.

 

In the two instances described above, the ICO justified the penalties as being appropriate because access to the highly sensitive information could have caused substantial distress to individuals. However, the level of fines imposed in these particular cases suggests that only exceptionally serious violations are likely to merit the top-level fine.

 

Organisations should adopt practical steps to ensure full compliance with the Eight Principles of the Data Protection Act. The principles ensure that personal information is:

 

Practical

 

1.      Fairly and lawfully processed;

 

2.      Processed for limited purposes;

 

3.      Adequate, relevant and not excessive;

 

4.      Accurate and up to date;

 

5.      Not kept for longer than is necessary;

 

6.      Processed in line with your tights;

 

7.      Secure; and

 

8.      Not transferred to other countries without adequate protection.

 

Neither organisation mentioned above had adequate security in place to prevent the incidents from occurring. Simple procedures such as installing firewalls, regular shredding of confidential paper waste, encrypting sensitive data, staff training, clearance levels and physical security measures should be considered by organisations to avoid violating the Data Protection Act.

 

It is advisable that companies or businesses whatever their size conduct regular audits to determine whether they are compliant under the DPA. This is an important issue for companies and they have to take note.

 

Dr Rosanna Cooper is the principal of RT Coopers and specialises in data protection audits and compliance. Dr Cooper may be contacted on 020 7488 9947 or by e-mail: [email protected]. 

 

Further guidance can be found on the ICO’s website (http://www.ico.gov.uk/for_organisations/data_protection.aspx) or by contacting RT Coopers - visit http://www.rtcoopers.com/practice_dataprotection.php

 

© RT COOPERS, 2011. This Briefing Note does not provide a comprehensive or complete statement of the law relating to the issues discussed nor does it constitute legal advice. It is intended only to highlight general issues. Specialist legal advice should always be sought in relation to particular circumstances.