Commercial Review

    View Authors February 2011

    Penalties … the arguments for sound internal data protection policies …

    In late 2010, the Information Commissioner imposed its first fines on two organisations for breaches of the Data Protection Act 1998. Both of the breaches occurred in June 2010. The first fine of £100,000 was issued to Hertfordshire County Council in respect of two separate incidents in which the Council’s employees faxed highly sensitive personal information to the wrong recipient. The second fine was for £60,000 imposed on a company, A4e, in respect of the loss of an unencrypted laptop which contained details of 24,000 people. The details included, full names, dates of birth, postcodes, employment status, income level and details of any criminal activity. Whilst none of the breaches in question were intentional and in both cases were outside the control of the organisations, the Commissioner made it clear that it was the failure of the organisations to put in place appropriate procedures to minimise the risk of the breaches taking place, that warranted the fines. In contrast it is interesting to note that organisations may remain immune where a data breach occurs solely as a result of one of their employees’ deceit. In July 2010, a former employee of T-Mobile pleaded guilty to unlawfully obtaining and selling personal data. It is reported that the employee, who we understand is yet to be sentenced, stole a large number of customer data from T-Mobile and resold the data to competitors, allowing the competitor to contact customers nearing the end of their contract with T-Mobile to try and persuade them to join a new network. In this case, T-Mobile (as the data controller) was immune from any prosecution as T-Mobile could demonstrate that it had in place clear policies on the protection and retention of personal data and its staff had received training on the same. This case does highlight the need for organisations to check they have sound internal policies and procedures in place which are regularly audited against in order to reduce any insider threat.