First monetary penalty notices issued by ICO
On 24 November the Information Commissioner's Office ("ICO") issued its first monetary penalty notices, marking the first use of this power since it became available to the ICO in April.
The first monetary penalty, of £100,000, was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The first incident involved information regarding child sexual abuse, which was intended to be sent to a barrister's chambers. The second incident involved details of care proceedings. On both occasions, an employee incorrectly entered the full fax number of the intended recipient manually, rather than the standard practice of using the auto-dial function.
The second monetary penalty, of £60,000, was issued to employment services company A4e for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. The laptop, which was intended for home use, was stolen from an employee's house during a burglary.
Legal basis of monetary penalties
The ICO is authorised to issue monetary penalty notices by virtue of s55A of the Data Protection Act 1998. This section, inserted by the Criminal Justice and Immigration Act 2008, came into force on 6 April this year.
The ICO is authorised to issue a monetary penalty notice where there has been a serious contravention of s4(4) of the Data Protection Act (the 'data protection principles') by the data controller of a kind likely to cause substantial damage or distress; and either the contravention was deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur and that such a contravention would be of a kind likely to cause substantial damage or distress, but failed to take reasonable steps to prevent the contravention.
The maximum penalty notice is £500,000.
Suitability of a monetary penalty notice in these cases
The ICO has issued guidance stating that monetary penalty notices are intended to act as an encouragement towards compliance with the Data Protection Act, or at least a deterrent to non-compliance. The guidelines also make clear that a monetary penalty notice is only appropriate in the most serious situations. Essentially, the ICO has stated that it will use its power against a data controller who has deliberately or negligently disregarded the law. This stated aim is reinforced by the notices issued to the two organisations at hand, which state that "[the ICO's] underlying objective in imposing a monetary penalty notice is to promote compliance with the Act".
In both cases, the data protection principle breached was principle seven, which states that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". In each case the ICO decided that breach was "serious" and necessitated the issue of a monetary penalty notice.
The service of the first monetary penalty notices, seven months after the availability of the power arose, suggests that the ICO will not be afraid to issue fines in order to promote compliance with the Data Protection Act through deterrence.
The fact that both cases involve breach of the same 'appropriate technical measures' principle underlines the importance of organisations encrypting any sensitive data they may possess, especially where that information is leaving their managed ecosystem. Both cases are similar to high profile incidents in recently years involving the loss of personal data when being sent or held externally, most notably in cases of laptops and memory sticks being left on trains.
The A4e case, involving the theft of a laptop in use by a home worker, shows that the ICO is seeking to clamp down on this type of data breach. In neither of the cases does the issue of the notice concern the content or processing of the data held, but rather the fact that data controllers have a duty to safeguard sensitive information wherever it is held.
See further section 5.8.1 of the Privacy Law Handbook