The UK Information Commissioner’s Office (“ICO”) utilized its new power to issue monetary penalty notices for the first time last week in response to two serious breaches of the UK Data Protection Act (“DPA”), one case involves misdirected faxes and the second involves theft of a laptop.
Since April 6, 2010, the ICO has had the power to issue a fine up to £500,000 if a data controller commits a serious violation of the DPA which is (1) likely to cause substantial damage or distress, and (2) the violation was either deliberate, or the data controller knew or should have known there was a risk that a violation could occur and failed to take reasonable steps to prevent it. The first prong can be met by merely showing that substantial damage or substantial distress is likely, and the ICO has taken the position that “distress” means “any injury to feelings, harm or anxiety suffered by an individual.” Thus, as these two cases demonstrate, careless mistakes coupled with lack of reasonable procedures or reasonable technological protections could lead to significant fines, even if actual harm does not occur.
In the first case, the Hertfordshire County Council was fined £100,000 for two violations of the DPA where council employees in its Childcare Litigation Unit accidentally faxed highly sensitive information to the wrong recipients. The first fax was sent without a cover sheet containing instructions on what the recipient should do if the fax was misdirected. It contained confidential and sensitive personal data of seven individuals related to a child sexual abuse case and was sent to a member of the public, who reported the fax to the Council and the ICO. In response, the Council obtained a court injunction to prevent disclosure of the details in the fax. The second fax, sent by a different employee within two weeks of the first, was sent to a barrister’s chambers instead of a court, and contained confidential and sensitive personal data of 18 individuals related to care proceedings of three children, including names and birthdates, records of domestic violence, and the opinions of care professionals regarding things such as the adults’ personal relationships and ability to care for children. This time the fax was sent with a cover sheet, and clerk in the barrister’s chambers which received the fax contacted the Council and confirmed that the fax had been destroyed without reading it.
The Hertfordshire County Council voluntarily reported both incidents to and worked with the ICO to improve their processes for sending faxes with highly sensitive information. Despite this, and despite the fact that there is no indication that the misdirected faxes led to actual damage or distress, the ICO ruled that the £100,000 was appropriate because (1) the Council’s procedures failed to stop two serious breaches where access to the data could have cause substantial damage and distress, and (2) after the first breach occurred, it failed to take sufficient steps to reduce the likelihood of another breach.
The second case involved the theft of an unencrypted laptop from the home of an employee of A4e Limited, and resulted in a fine of £60,000. A4e operates community legal advice centers in two UK cities and provides laptops to employees to work at home or remotely. The stolen lap contained sensitive information of approximately 24,000 individuals who had used the advice centers, including full names, dates of birth, postcodes, employment status, disability status, ethnicity, income level, information about alleged criminal activity and whether an individual had been a victim of violence. Although A4e was aware of the risk of issuing unencrypted laptops to its employees for use outside of the office and had started a program to roll out encryption, the stolen laptop was unencrypted and only protected by a password. A4e reported the breach to the ICO and notified the individuals whose data may have been accessed. The ICO ruled that the £60,000 fine was appropriate because (1) access to the data could have caused substantial distress and substantial damage; and (2) issuing the employee an unencrypted laptop was unreasonable given the type and amount of data that would be processed on it.
Links to PDFs of the ICO’s monetary penalty notices for both cases are on its website.