ICO levies first data-breach fines

The Information Commissioner's Office has imposed fines on Hertfordshire County Council and employment services company A4e for data breaches

The Information Commissioner's Office has used its power to impose data-breach fines for the first time, handing out penalties of thousands of pounds to a council and an employment agency.

Hertfordshire County Council has been given a penalty of £100,000 for faxing sensitive information to the wrong recipients, while A4e must pay £60,000 for losing an unencrypted laptop, the privacy watchdog said on Wednesday.

"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business," information commissioner Christopher Graham said in a statement.

These were the first two organisations to be fined since the powers of the Information Commissioner's Office (ICO) were strengthened in April to fine organisations up to £500,000. One recent high-profile case in which the ICO said it could not levy a fine was Google's unsolicited harvesting of data sent over unsecured Wi-Fi.

Hertfordshire County Council committed two serious breaches of the Data Protection Act, according to the ICO. In the first, which happened in June, an employee faxed information relating to a child sex abuse court case to a member of the public by mistake.

In the same month, another member of the same unit faxed information on care proceedings for three children to a barristers' chambers unconnected with the case. The data included the previous convictions of two people and domestic violence records, and was meant for Watford County Court, according to the ICO.

"It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach — not least because the local authority allowed it to happen twice within two weeks," Graham said.

Hertfordshire County Council told ZDNet UK on Wednesday that it was "unlikely to appeal" the ICO fine. "We are sorry that these mistakes happened, and have put processes in place to try to prevent any recurrence," the council said in a statement. "We accept the findings of the commissioner."

The council now has new procedures, such as more rigorous double-checking of numbers before sending faxes, a spokeswoman told ZDNet UK. She added that the breaches were the result of misdialling.

The second penalty, to A4e, was imposed because the employment services company lost an unencrypted laptop in June. The laptop, which was stolen from an A4e employee's house, contained the details of 24,000 people who had used legal advice centres in Hull and Leicester. The details included names, addresses, income level, information about alleged criminal activity, and whether an individual had been a victim of violence. An attempt had been made to access the data.

A4e told ZDNet UK that it had voluntarily told the ICO about the data breach and had notified all the individuals affected. The company has also strengthened its security procedures, including making it mandatory for all data to be encrypted to ISO-standard level, a spokeswoman said.

"All portable equipment used by our employees are now fully encrypted and all members of staff handling customer data cannot load data and will access [it] through secure central servers," she said.

The lack of data protection left the information open to access by outsiders, the ICO said.

"The laptop theft... warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data," Graham said.