recent work

ICO hands out £150,000.00 in fines for Data Protection breaches

The ICO has announced that two London Councils, Ealing and Hounslow, have been served monetary fines for breaches of the Data Protection Act. The breaches involved the loss of two unencrypted laptops containing the personal and sometimes sensitive information.

Laptops are relied upon by a service run by Ealing Council, whereby up to nine staff can be working from home at any given time. Information relating to individuals needs to be recorded on these laptops. This service, although run by Ealing Council, is operated on behalf of Hounslow Council too.

Two password protected, but not encrypted laptops, containing 1700 individuals’ details, was stolen from a workers home – these individuals were clients of both Councils. The un-encryption breached both council’s policies.

Although there is no evidence that any of the information has been accessed by a third party, it is clear that a significant risk has been posed to the data – and as a result Ealing Council was fined £80,000.00 and Hounslow £70,000.00. It was noted that neither council ensured their data policies were understood or adhered to by staff; there was also no written contract between the councils and Hounslow Council had never monitored Ealing Council’s procedures, resulting in the breach.

Deputy Commissioner, David Smith, said:
“Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal  nformation is involved, password protection for portable devices is simply not enough.
“The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal
information it is responsible for to somebody else unless they enure that the information is properly protected.
“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”

Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO.

To read the article in full, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/Monetary_penalties_ealing_and_hounslow_news_release_20110208.ashx now.

Comment
In order to eliminate the risk of a fine from the ICO, organisations need to know what risks they could be taking. Absolute Data specialises in helping such organisations review their data strategy, and thus improve data management systems.

Absolute Data works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with.
For further information, please contact us now at info@absolute-data.co.uk.