First data protection fines issued
Hertfordshire County Council has been fined £100,000 for serious breaches of the Data Protection Act; one of the first such penalties to be issued by the UK’s Information Commissioner.
The council was fined after mistakenly faxing sensitive details of child abuse and care cases to the wrong recipients twice within a two-week period. A separate fine of £60,000 was issued to Sheffield-based company A4e after an unencrypted laptop containing the personal details of 24,000 people was stolen from an employee’s home.
The fines came seven months after the Information Commissioner’s Office was given the powers to fine organisations in serious breach of the Data Protection Act. Commissioner Christopher Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data."
"These first penalties send a strong message to all organisations handling personal information – get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
Both organisations have publicly accepted the Information Commissioner’s findings and have apologised for the mistakes. The fines came as figures from law firm EMW showed that the number of High Court cases involving employees taking confidential data from work have increase by 313% in the last 12 months.
Published: 24 November 2010