First Data Protection Act fines issued by commissioner

A county council that faxed details of a child sex abuse case to a member of the public is to be fined £100,000 for breaching the Data Protection Act.

Hertfordshire County Council is one of two bodies fined by the Information Commissioner - both have apologised.

Sheffield-based A4e was fined £60,000 for losing an unencrypted laptop with the details of thousands of people.

The commissioner said the fines - the first he has issued - would "send a strong message" to those handling data.

Commissioner Christopher Graham was granted the authority to serve financial penalties for data protection breaches in April of this year.

The breaches at Hertfordshire County Council occurred in June, when employees in the childcare litigation unit accidentally sent two faxes to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner's Office (ICO).

The first misdirected fax was meant for a barristers' chambers but was sent instead to a member of the public.

The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.

The second misdirected fax, sent 13 days later, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions on the cases.

The fax was intended for Watford County Court but was mistakenly sent to a barristers' chambers unconnected with the case.

Mr Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case. I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks."

A spokesman for Hertfordshire County Council said it accepted the commissioner's findings.

"We are sorry that these mistakes happened and have put processes in place to try and prevent any recurrence," he added.

The A4e data breach also occurred in June, after the company - which provides information on employment and starting a business - issued an unencrypted laptop to an employee so he or she could work at home.

The computer contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester.

But it was later stolen from the employee's house and an unsuccessful attempt to access the data was made shortly afterwards.

Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.

A4e reported the incident to the ICO and the company subsequently notified the people whose data could have been accessed.

The commissioner ruled that A4e did not take reasonable steps to avoid the loss of the data but said the incident was "less shocking" than the council's security breaches.

Nevertheless, he said it "also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data".

He added: "These first monetary penalties send a strong message to all organisations handling personal information - get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to half a million pounds."

A4e chief executive Andrew Dutton apologised, adding: "We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them.

"This incident occurred as a result of a breach of our security procedures. It also came at a time when A4e was rolling out a new, robust, company-wide set of security controls and procedures."

Meanwhile, a survey has found that four out of five people want to see the introduction of a law which would force companies to publicly declare any data breaches.

Such legislation already exists in the United States but in the UK, disclosure is currently voluntary.

The poll, of 5,000 people, was conducted for data management company Logrhythm by Onepoll.