The UK’s privacy watchdog has for the first time handed out fines for breaches of the Data Security Act, sending a strong message to organisations that it intends to use new enforcement powers to clamp down on personal information abuses.
The Information Commissioner’s Office fined Hertfordshire County Council £100,000 for two separate cases during which council employees faxed highly sensitive data to the wrong people. In one incident, details relating to a child sexual abuse case that was being heard in court were inadvertently sent to a member of the public.
The ICO also fined A4e, an employment services company, £60,000 for losing an unencrypted laptop that contained personal details of about 24,000 people who had used community legal advice centres in Hull and Leicester.
The ICO said the penalties were designed to show all organisations handling personal information: “Get it wrong and you do substantial harm to individuals and the reputation of your business.”
Under new powers that came into force in April, the ICO can fine an organisation a maximum of £500,000 for serious breaches of the Data Security Act.
The fines sent “a warning shot across the bows” to organisations that the ICO was prepared to use its new powers and take a muscular approach to anyone that breached data protection laws, said Daniel Cooper, partner at law firm Covington & Burling.
“The ICO lobbied strongly to strengthen their enforcement powers. Now they have demonstrated that they are willing to use them,” Mr Cooper said.
Simon Davies of Privacy International, the UK lobby group, said the monetary penalties were “a useful tool to make organisations more aware of their obligations”. However, he warned that larger companies and agencies would “merely work the fines into their budget margins”.
The UK regulator, headed by Christopher Graham, Information Commissioner, faced some initial criticism for its handling of a recent data protection case involving Google.
Google admitted in May that cars it used to photograph residential streets for its Street View mapping service had accidentally collected “fragments” of information travelling over unsecured wireless networks.
The ICO initially cleared Google of breaching the Data Protection Act in May, after examining a sample of the Street View data. The ICO reopened the probe but only after regulators in Canada and Spain in October ruled that Google had broken local laws. The US group also said it had “mistakenly collected” encrypted personal data.
The ICO finally ruled this month that Google had indeed broken the law. The company was not fined by the ICO for the breaches, most of which occurred before the regulators’ new powers came into force. However, Google apologised and agreed a series of measures with the ICO to improve data handling.