23 March 2018
The UK Information Commissioner has wielded new powers for the first time to impose fines for serious breaches of the Data Protection Act. Until now, sanctions for breach of UK data protection law were seen as reasonably weak. However, with these decisions, the game has changed significantly. Organisations processing data in the UK will have to ensure that their data security is robust or face fines of up to £500,000.
In April 2010, fines up to £500,000 for serious breaches of the Data Protection Act security requirements were introduced. In these first decisions under the new regime, financial penalties – totalling £160,000 – have been slapped on two organisations for data security breaches under the Data Protection Act potentially causing serious distress or damage.
The actual incidents giving rise to the regulatory action were perhaps unexceptional. One was down to individual employee error and the other, failure to take simple IT security precautions.
In the first case, a local authority twice mistakenly faxed sensitive personal information involving child sex abuse cases and care proceedings to the wrong destinations when incorrect fax numbers were used. The authority was fined £100,000.
In the other case, involving employment training provider A4e, a laptop containing sensitive personal data was stolen from an employee who was working from home. The laptop data, which included individuals' income details and information on criminal records, had been left unencrypted. Although there was no allegation of anyone actually being harmed by the breach, A4e was fined £60,000 simply because individual privacy was being ‘potentially compromised'.
The Information Commissioner has said he wants to send a 'strong message' to organisations. In addition, for financial firms the UK Financial Services Authority has already shown its willingness to impose penalties of over £1 million in relation to data security failures. With these latest developments one thing is clear - organisations must take privacy compliance across their UK operations very seriously particularly when handling sensitive or financial data.
One thing is clear – these penalties are unlikely to be the last. The consequences of taking a passing interest or simply ignoring data privacy have just become considerably more expensive.