The ICO imposes its first fines for personal data loss
The UK’s Information Commissioner has finally used his new powers and imposed financial sanctions on wrongdoers.
The first penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first case, involving child sexual abuse, was before the courts, and the second involved details of care proceedings.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
This has provoked a range of different reactions. “It’s good to see the ICO showing its mettle for the first time, sending a clear message that it is completely unacceptable to be cavalier with private and confidential sensitive information,” said Graeme Stewart, public sector business development director at Sophos.
Ed Macnair, CEO of Overtis, is slightly more critical, “At first glance this looks like the ICO has real teeth. However, in the case of the stolen laptop, the penalty is less than £3 for each lost record. When you consider the fact that A4e is a £145 million company, the breach has had a higher impact on the 24,000 individuals whose confidential information has been lost.
“Similarly, this council had clearly not learned from the first devastating security breach and continued to use the same insecure channel for sharing highly sensitive information. The technology is there to prevent information from being stored in unencrypted format and to tightly control the faxing, sending and printing of confidential information. Let’s hope that the ICO’s action encourages other organizations to urgently review their policies and procedures.”
This is closer to my own views. £60,000 to a large company is nothing – it will be less than the cost of some decent security software and staff awareness training. So in fact the ICO is saying it’s cheaper to lose the data than to protect it.
And in the case of the council, as I’ve said before, it’s the public what pays. It’s silly to fine a public body because public bodies don’t have any money: only the body public has money, and it’s the body public, you and me, that has to foot the bill. My view is that people who lose personal data should also lose their job: and that should apply as much to the CEO as the clerk. I asked Ed Macnair, whose company develops user activity management and monitoring software that can prevent such leaks, if the ICO is worth its cost.
“Absolutely,” he replied. “While you make a good point that a government office imposing fines on public sector bodies is ultimately penalising the tax payer, there are many hundreds of private sector organisations that are also storing personally identifiable information on UK citizens. Many of them are doing so in a sloppy manner, using systems that are highly vulnerable to accidental data loss or deliberate theft.
“Loss of personal information that has been entrusted to an organisation is a breach of trust and causes a great deal of distress to the people affected. I think the imposition of fines is a step in the right direction. While a £100k fine may seem disproportionate to the damage caused by organizations breaching the Data Protection Act, it sends a strong signal that the Information Commissioner is ready to wield his power.
“I think that since the ICO gained its increased powers in April, the UK has held its breath to see whether Christopher Graham would act. He has acted. This should serve as a strong warning to any other organisation, in the public or private sector, that still hasn’t put the policies, processes and technology in place to safeguard UK citizens’ data.”
I repeated my view that fines don’t really hurt anyone (unless they are personal fines), and that really, heads should roll.
“When it comes to culpability,” he replied, “I do believe that fining the organisation is the right approach. I don’t believe it is fair to fine individual employees because often they are simply trying to get on with their jobs and the data breach is caused by them doing something in a rush, without following policy. The organisation has a responsibility to set policies; educate staff on safe data handling; and to set up systems, processes and technology to prevent these policies from being breached. Pinning the blame on individuals would negate the responsibility of company directors who should be putting the policies, procedures and technology in place to prevent breaches occurring. That said, where an employee has maliciously flouted policy and succeeded in damaging their organisation’s reputation by leaking personal identifiable information, then this should be dealt with in the same way as any act of serious professional misconduct.”