ICO Starts Punishing Councils for Data Privacy Breach
The Information Commissioner’s Office (ICO) has been previously receiving criticisms for not exercising its power to penalize those who breach data privacy laws. Now, ICO has shown samples of how it could cost for any entity if found mishandling personal information of the public.
For the first time since April when it was vested with the power to deal out fines for data privacy breaches, ICO has summoned its mandate to penalize Hertfordshire County Council and employment services company A4e with fines amounting to £100,000 and £60,000, respectively.
Hertfordshire County Council was penalized after its employees have disseminated personal data to wrong recipients twice through fax, ICO said. The first case involved information about child sex abuse which was sent to an ordinary citizen when it was supposed to be forwarded to the barristers’ chambers. The other case had something to do with data on care proceedings.
ICO commissioner Christopher Graham expressed concern about this incident because the local council tolerated such infringement into data privacy “twice within two weeks.”
In the case of the A4e, an unencrypted laptop containing personal information of 24,000 people that used community legal advice centers in Hull and Leicester has been stolen.
Graham said he would expect this move to encourage more firms to maintain highly secured measures in protecting data privacy within their organization.
“Get it wrong and you do substantial harm to individuals and the reputation of your business,” he added.
Stewart Room, partner in Field Fisher Waterhouse’s Privacy and Information Law Group, expressed his admiration at the information commissioner’s showcase of “guts and appetite” to penalize a local authority for data privacy infringement despite economic crisis.