Breach blowout
The Information Commissioner's Office (ICO) has dished out hefty fines to a council and a firm that breached the Data Protection Act.
Hertfordshire County Council has been fined £100,000 while a Sheffield-based firm called A4e was hit with a £60,000 fine for losing an encrypted laptop with thousands of people's details on it, the BBC reported.
The council was reportedly fined after it accidently sent two faxes containing personal information about a child sex abuse case and care details to the wrong recipients.
The commissioner, Christopher Graham was given the go-ahead to fine companies for data protection breaches in April and these are believed to be the first penalties given out, reportedly intended to ‘send a strong message' to firms handling data.
Hertfordshire County Council's mistakes happened in June when employees in the childcare litigation unit reportedly sent a couple of sensitive faxes to the wrong people and the council reported the accidents to the ICO.
The first fax was apparently intended for a barrister but ended up in the hands of a member of the public, forcing the council to get a court injunction to stop the leak of any faces of the county case or the data breach itself.
Then under two weeks later a second fax reportedly destined for Watford County Court but sent to another barrister unconnected with the case containing domestic violence records, conviction details of two people and information on the care of three children. The penalty was partly given as the ICO decided that council did not take appropriate measures to stop a second breach occurring.
Graham told the Beeb: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks."
A spokesman for Hertfordshire County Council reportedly said: "We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence."
Meanwhile, A4e's breach also occurred in June when an unencrypted laptop was stolen from an employee's home with 24,000 people's information that had used community legal advice in Hull and Leicester on it. The firm reportedly offers information on starting a business.
The company reported the incident to the ICO and contacted the people whose data had been stolen but the ICO reportedly said A4e did not ‘take reasonable steps' to protect the data in the first place.
Graham said while less shocking than the council's breach, the situation "warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".
"These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds," he warned.
Andrew Dutton, the chief exec at A4e, told Auntie: "We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them. This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures."
