A county council that faxed details of a child sex abuse case to a member of the public is to be fined �100,000 for breaching the Data Protection Act.
Hertfordshire County Council is one of two bodies fined by the Information Commissioner - both have apologised.
Sheffield-based A4e was fined �60,000 for losing an unencrypted laptop with the details of thousands of people.
The commissioner said the fines - the first he has issued - would "send a strong message" to those handling data.
Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.
Hertfordshire County Council was fined after two incidents where two faxes containing highly sensitive personal information involving a child sex abuse case and care proceedings were sent to the wrong recipients.
Fax mistakesThe breaches occurred in June, when employees in the council's childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).
The first misdirected fax was meant for a barristers' chambers but was sent instead to a member of the public.
"Start Quote
End Quote Christopher Graham Information CommissionerThese first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business"
The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.
The second misdirected fax, sent 13 days later by another member of the council's childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions on the cases.
The fax was intended for Watford County Court but was mistakenly sent to a barristers' chambers unconnected with the case.
The commissioner ruled that a penalty of �100,000 was appropriate, given that the council's procedures failed to stop two serious breaches taking place.
And after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring, the ICO said.
Laptop theftMr Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks."
A spokesman for Hertfordshire County Council said it accepted the commissioner's findings.
"We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence," he added.
The A4e data breach also occurred in June, after the company - a private sector company which provides information on employment and starting a business - issued an unencrypted laptop to an employee so they could work at home.
The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.
But it was later stolen from the employee's house and an unsuccessful attempt to access the data was made shortly afterwards.
Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.
'Substantial harm'The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data when it issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be on it.
Mr Graham said the theft of the laptop was "less shocking" than the council's security breaches.
But he said it "also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".
He added: "These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."
A4e chief executive Andrew Dutton said: "We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them.
"This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.
"Our priority has always been, and remains, our customers and partners. We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again."
0 comments:
Post a Comment