Send us a message
Fill in our form and we'll get back to you as soon as possible
Contact our offices
Make an enquiry
Since the power of the Information Commissioner’s Office (ICO) to impose fines for breaches of the Data Protection Act was increased in April 2010 to a maximum fine of £500,000 the ICO has imposed a number of substantial fines.
The ICO has fined organisations in the public sector (local authorities and a police force), the private sector (an employment service company) and most recently a charity. It was reported recently that in a 12 month period the ICO had issued 15 fines making up some £1.8 million in total.
While it is the ICO’s practice to guide and assist organisations with data protection compliance and to act in a proportionate manner in exercising its powers, the ICO has demonstrated that in appropriate circumstances it will impose a substantial fine for a breach of data protection law. When considering a financial penalty the factors the ICO will take into account include the seriousness of the breach, the likelihood of substantial distress or damage to the individuals whose personal data is in issue, whether the breach was deliberate or was something that the organisation knew or ought to have known about and, finally, what steps the organisation took to prevent the breach.
A common feature of several of the cases where the ICO has imposed a substantial fine is that the personal data had been removed from the premises of the organisation by an employee and thereafter the data had been lost or stolen.
It is very clear that where there is personal data on a laptop, memory stick or other portable device which leaves the premises of the organisation, simple password protection is not enough. The data must be encrypted.
Organisations should ensure that staff are adequately trained as to compliance with the Data Protection Act, put in place clear policies and procedures for processing personal data (and ensure that these are being adhered to in practice), consider the risks in dealing with personal data (and take steps to guard against those risks) and be able to respond swiftly in the event of a breach so as to mitigate the effects thereof.
These measures are necessary for an organisation to demonstrate that it has complied with the data protection principles, including the seventh principle which requires that it take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against its accidental loss or destruction.