How the loss of a laptop can lead to a hefty fine
Think the need for formal data protection controls is overstated? Never had a problem in the past? Unfortunately, all it takes is one slip-up and you could be exposed to regulatory scrutiny and penalties.
Since acquiring new powers in April 2010 to fine organisations for serious breaches of the Data Protection Act 1998, the Information Commissioner’s Office (“ICO”) has imposed six monetary penalties, ranging from £1,000 to £120,000.
The penalties have arisen following seemingly simple events: misdirected faxes/emails and loss of laptops. The one more unusual event (at least in terms of publicised data breaches) was faced by ACS Law when its email files mistakenly became available for download from public websites.
These events were of course the triggers for the breaches and the resulting penalties. However, in assessing a breach and deciding on an appropriate penalty, the ICO also looks behind the scenes to examine the surrounding circumstances.
- Nature and effect of the event: The event itself may impact: (a) the seriousness of the breach; and (b) the damage and distress it is likely to cause. These are both criteria to consider in imposing a penalty and are likely to be intensified where sensitive personal data is involved (for example relating to health or criminal offences). If the breach is more than a one-off event, it may also be deemed more serious.
- Circumstances leading to the event: The ICO’s assessment will consider the data protection controls and behaviours of the relevant organisation. In its penalty notices, the ICO has highlighted practical steps which may mitigate (or, if not taken, increase) the seriousness of a breach and the level of the penalty, for example:
- Security controls: encryption rather than reliance on password protection, physical security such as securing laptops in different locations, controls over accidental fax or email mis-transmission.
- Implementation of policies: Drafting a written policy is not the end of the line, it also needs to be communicated effectively, and its compliance monitored and enforced in practice. For example, if your policy requires laptops to be encrypted, then check that this is actually being done.
- Risk assessments and reviews: Assess and monitor what data should be protected, the potential breaches and security measures to protect against them.
- Training and awareness of staff: This may include training on how to use IT resources appropriately and effectively, as well as data protection requirements in themselves. It is also important to ensure that all staff actually attend scheduled training sessions.
- Controls over service providers: Assess the adequacy of security implemented by providers as well as in-house security.
- Remedial and preventative action: An additional factor to establish before imposing a penalty is that the breach was deliberate or the organisation should have known it was likely to occur. If similar incidents have happened before or there are warning signs of a potential breach, sufficient remedial or preventative action should have been taken. Action may need to be taken to change procedures rather than remind staff of ineffective procedures. Prompt reporting of breaches to the ICO may also reduce the penalty.
- Impact on the data controller: In setting a penalty, the ICO will consider the financial resources of the organisation and other impacts such as reputational damage. The ICO noted that the breach by ACS Law would have attracted a fine of £200,000 had the owner not ceased trading at that time and had limited finances.
What does this mean?
The enforcement action taken by the ICO in the last couple of years (including criminal prosecutions, enforcement notices and required undertakings as well as the monetary penalties highlighted above) shows that data protection can no longer be ignored in the hope that no one will notice. In addition to the penalties themselves, the consequences may include bad publicity, declining customer trust and high costs in putting matters right.
Whilst a lot of organisations may now be realising that data protection is a real issue (see, for example, ICO news release “Businesses waking up to data protection responsibilities”: http://www.ico.gov.uk/news/latest_news/2011/businesses-waking-up-to-data-protection-responsibilities-21102011.aspx), a lot are not yet implementing required controls to ensure compliance and minimise breaches.
Even some relatively well-established businesses still take a view that formal data protection measures such as policies, training and reviews are “over-kill” and unnecessary, particularly as they have never had any problems in the past. Whilst no problems arise, the lack of controls may be relatively well-hidden. However, as the recent incidents have shown, all it takes is one slip-up to trigger exposure to complaints, regulatory action and monetary penalties.
Olivia Whitcroft, principal of OBEP, 9 November 2011
This article provides general information on the subject
matter and is not intended to be relied upon as legal advice. If you
would like to discuss this topic, please contact Olivia Whitcroft using
the contact details set out here: Contact