The Information Commissioner’s Office has issued its first ever fines for data breaches, a move that may help to cement data protection as a board-level issue.
Hertfordshire County Council was fined £100,000 for two incidents in which "highly sensitive" data was faxed to the wrong recipient. In the first incident, data relating to child sexual abuse was faxed to a member of the public instead of a barristers’ chambers, while in the second details of the care proceedings of three children were faxed to an unconnected law firm.
Recruitment services company A4e, meanwhile, was fined £60,000 after an unencrypted laptop, which contained information about people who had used legal advice services, was stolen from an employee’s house.
The ICO was granted the right to issue fines of up to £500,000 earlier this year, for breaches of the Data Protection Act that cause "damage or distress" to the individuals in question. Today’s fines demonstrate the ICO’s willingness to issue heavy penalties for negligence, not just for deliberate breaches.
The penalties also confirm the ICO’s readiness to use its power to fine, which was under question after a number of organisations escaped fines despite significant data protection breaches. One example is Google; the ICO described the collection of UK citizens’ private data by Google’s StreetView camera cars as a "serious breach" of the Data Protection Act, but did not fine the company. Instead, Google has agreed to improve its staff training and data handling procedures.
Earlier this month, the EU revealed proposed amendments to its Data Protection Directive, on which the UK’s Data Protection Act is based. Among the proposed changes are the introduction of an individual’s "right to be forgotten”, meaning they can demand a company deleted all the data it holds on them, and measures to "“increase transparency for data subjects".