The UK Information Commissioner has announced [PDF] that it has imposed fines on two organisations over breaches of the Data Protection Act. Those penalties are the first to be imposed and have been described by the Commissioner as sending "a strong message" to those handling data.
Hertfordshire County Council was fined £100,000 for twice faxing highly sensitive personal information regarding a child sex abuse case to the wrong recipients, members of the public. A4e, a business, was fined £60,000 for losing an unencrypted laptop that featured information about thousands of people.
The initial Hertfordshire County Council incident involved staff in the Council's childcare litigation unit misdirecting a fax meant for a barristers' chambers. The council subsequently obtained a court injunction prohibiting disclosure of the facts of the court case or circumstances of the data breach. 13 days later another member of the same unit sent a fax with information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions on the cases. That fax was intended for Watford County Court but was misdirected to a barristers' chambers that had no connection with the case.
Unsurprisingly the Commissioner commented that "I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks".
The A4e data breach - just one of a drum roll of lost laptops, lost USB drives, lost tapes and disks - involved the company providing an unencrypted laptop to an employee for work at home. The device contained personal information (including full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence) relating to 24,000 people who had used community legal advice centres. The laptop was subsequently stolen from the employee's house and an unsuccessful attempt to access the data was made shortly afterwards.
The Commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it. "Thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".
The two organisatiopns may have suffered reputational loss but let's crunch some numbers before cheering the penalty. Perhaps we need a new metric for punishing negligence in relation to data losses. At £60,000 the penalty amounts to a bit over £2 per person, hardly a swingeing fine. It is reminiscent of the £980,000 penalty imposed by the Financial Services Authority on the Nationwide building society in 2007 after exposure of some 11 million customer records ... equivalent to less than the business spent on grooming potplants each year.