Personal Data Security Breaches: Fines from the ICO

In February 2010 we reported on the new powers of the Information Commissioner's Office ("ICO") to impose penalties on data controllers who commit serious contraventions of the data protection principles. See

Since 6 April 2010, the ICO has been able to issue monetary penalties up to a maximum of £500,0001 for serious breaches of the Data Protection Act 1998 ("DPA"). These powers were introduced by Criminal Justice and Immigration Act 2008 ("CJIA") which inserted a new section, s55A, into the Data Protection Act 1998. In November 2010, the ICO issued its first two Monetary Penalty Notices utilising these new powers.

Hertfordshire County Council

In June 2010, an employee of the council's childcare litigation unit sent a fax containing sensitive personal data to an incorrect fax number. The faxed documents contained information relating to a child sexual abuse case being heard in the High Court London. The documents were intended to be sent to a barristers' chambers but were in fact received by a member of the public. The fax contained no header sheet informing the recipient who the intended recipient was and what to do in the case of a misdirected fax. Both the council, as data controller, and the member of the public contacted the ICO.

Following this first incident, and while the ICO was investigating this incident, a further incident occurred whereby further documents containing sensitive personal data relating to ongoing care proceedings were faxed by the childcare litigation unit to a barristers' chambers that were not involved in the case, rather than Watford Country Court who were the intended recipient. The council was informed of the error and the ICO was notified of the further inadvertent disclosure.

Following its investigation, in November 2010, the ICO issued the council with a Monetary Penalty Notice of £100,000. It found that there had been serious breaches of the seventh data protection principle in that appropriate technical and organisational measures had not been taken to safeguard against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Furthermore the sensitive personal data was of a nature that would cause substantial damage and distress to the data subjects, and could prejudice the court cases to which the data was...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT