Information Commission gets tough

Added On: 24th January 2011

Information Commission gets tough

In November 2010 the ICO announced its first use of its recent power to issue fines or monetary penalties for serious breaches of the data protection legislation.

The first penalty of £100,000 was issued to a local authority, Hertfordshire County Council. The second was of £60,000 and issued to a private business, A4e, an employment services company. Both cases involved security breaches. Data security breaches are more likely to have serious consequences, so it was always likely that the first fines would be for this type of breach.

One of the cases concerned a failure to encrypt a laptop or mobile device and it had become pretty clear from the tone of previous enforcement notices and other statements made by the ICO since the HMRC incident that patience with this type of breach had run out. The simple step of encryption of a mobile device which will hold huge data sets or sensitive details is one which should be adopted now if not already in hand.

The other case involved faxing sensitive data to a the wrong recipient and the ICO was critical of the fact that simple security measures such as phoning ahead or accept ing for a receipt of a fax, were not in place.

The cases both involved human error and these cases are always more challenging; compliance is only as good as the weakest link in an organisation. It is worth reminding staff of their obligations and the importance of care in this area, especially when dealing with sensitive details. It would also be worth considering training on, and/or raising awareness of, privacy issues. In addition, policies and practices on handling, using and processing sensitive information should be reviewed to ensure they are sufficiently rigorous.