Last week was a busy week in the world of UK data protection enforcement, with reports of not one, but two significant data protection enforcement acts by the Information Commissioner’s Office (“ICO“).
£120,000 Monetary Penalty Notice for Surrey County Council
First, there was the news that the ICO had imposed a fine of £120,000 on Surrey County Council for a serious breach of the Data Protection Act 1998 (“DPA”). The fine related to misdirected e-mails sent by Council staff on three separate occasions, with each e-mail resulting in confidential and sensitive personal information falling into the hands of unintended recipients. The most serious of the three incidents saw sensitive personal information about 241 individuals’ physical and mental health being inadvertently sent to various transportation companies, including taxi firms and coach and mini bus hire services. The other incidents concerned sensitive personal information being inadvertently circulated to newsletter registrants and to an incorrect group mailing list.
Following the fine, Information Commissioner Christopher Graham said: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
s.55 prosecution against former T-Mobile employees
In a separate development, two former employees of T-Mobile were prosecuted and fined a total of £73,700 for having stolen and sold customer data from the company on 2008. The former employees, David Turley and Darren Hames, pleaded guilty to the section 55 DPA offence of unlawful obtaining of personal data. The prosecution was the culmination of a joint investigation by the ICO and T-Mobile into how customers’ names, addresses, telephone numbers and customer contract and end dates were being unlawfully supplied to third parties.
What this means
These reports highlight that the ICO’s data protection enforcement capabilities, having been criticised for so long by privacy commentators, are really beginning to ramp up. Since the introduction of its fining powers in April 2010, the ICO has now issued no fewer than 6 fines (one every two months or so) with an aggregate total of £431,000, including two against private businesses. The ICO has also demonstrated that it is not a ‘one trick pony’, showing that it will resort to criminal prosecutions (as in the case of the former T-Mobile employees) and other means of enforcement where these are warranted.
More tellingly, we are also starting to learn what makes the ICO tick. The subject of fines issued so far have included:
- misdirected communications of sensitive personal information (on e-mail and by fax);
- unencrypted laptop theft;
- failure to exercise proper due diligence over data processors; and
- unlawful publication of individuals’ sensitive personal information online.
The message for data controllers is clear – lead by example, don’t risk becoming the example!