ICO issues another fine under the DPA following sensitive data loss by a local authority

The Information Commissioner’s Office (ICO) has announced this morning that it has issued another monetary pentalty under the Data Protection Act.

Once again, the recipient is a local authority, and once again the penalty has been imposed following the loss of sensitive personal data (in this case relating to the sexual abuse of children). A social work service manager took home a laptop bag containing printed papers and an encrypted laptop. The manager’s house was burgled and the laptop bag (including the papers) stolen.

In this case, it appears that there was no alternative to the manager taking the papers home and the work could not have been carried out using secure electronic means. Whilst the local authority had an information security policy in place, the policy did not address the risks identified by this breach. In particular, the local authority did not have a paper handling policy in place at the time of the incident. This is despite the local authority having signed an undertaking with the ICO following an earlier incident 10 months earlier.

The ICO issued a fine of £70,000.

Appropriate measures
Whilst the burglary might be “bad luck”, the ICO pointed to the obligations on data controllers to put in place appropriate techical and organisational means to protect personal data.

In determining what is “appropriate” the data controller must ensure a level of security that is appropriate to the harm that might result from unauthorised disclosure and the nature of the data to be protected.

In other words, the more senstive the data (and the more harm and distress that might arise in the event of its loss or unauthorised disclosure), the more the ICO expects data controllers to do to guard against such loss or unauthorised access.

A data controller might not be able to stop a burglary taking place, but it can take steps to reduce the likelihood of it occurring, and minimise the fallout.

These themes were covered in a recent talk I gave at a conference on data handling in health and social care, and I will be blogging again in the next few days to pull together some key principles that organisations can take from the pattern of fines issued by the ICO to date.

Watch this space.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Twitter: @BrodiesTechBlog feed

May 2012
« Apr   Jun »

%d bloggers like this: