ICO imposes first DPA breach fines

Council fined £100,000 for misdirected child abuse faxes; employment services company fined £60,000 over theft of unencrypted laptop

The Information Commissioner’s Office has imposed its first fines for breaches of the Data Protection Act, fining Hertfordshire County Council £100,000 and employment services company A4e £60,000.

The Council was fined for sending faxes containing sensitive data to the wrong recipients. The first fax, containing details relating to a child sex abuse case, was mistakenly sent to a member of the public instead of the intended recipient, a set of chambers. The Council subsequently obtained an injunction prohibiting disclosure of the facts of the court case or the circumstances of the data breach. Thirteen days later, a second fax containing confidential information relating to child care proceedings was sent to a chambers unconnected with the case. Both breaches were reported to the ICO by the Council.

The Council accepted the Commissioner’s findings and apologised for the mistakes. The Commissioner, Christopher Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks."

The ICO imposed a £60,000 fine on employment services company A4e after an unencrypted laptop containing personal information relating to 24,000 people was stolen. The information related to 24,000 users of community legal advice centres in Hull and Leicester, including details of whether the user had been a victim of violence and information about alleged criminal activity. An unsuccessful attempt was made to access the information shortly after the laptop was stolen in June 2010. A4e reported the incident to the ICO and the company subsequently notified those whose data could have been accessed. The ICO nevertheless decided that a fine was appropriate in view of the number of individuals whose data was compromised and the fact that the risk could have been avoided if the data had been encrypted. Chief Executive Andrew Dutton said: "We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again today."

These fines represent the first uses of the power given to the ICO in April this year to impose fines of up to £500,000 for serious data protection breaches. The Commissioner said "These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million."