The Information Commissioner’s Office (ICO) has handed out fines to two UK councils for breaching the Data Protection Act after laptops containing personal information were stolen.
Ealing Council and Hounslow Council have been fined £80,000 and £70,000 respectively, the ICO announced.
Ealing Council runs an out of hours service on behalf of both councils, run by workers from home. Council staff on the scheme are given laptops to record information about individuals. Two laptops were stolen from an employee’s home, the ICO said. One contained details of nearly 1,000 clients of Ealing Council and the other almost 700 from Hounslow.
While both laptops were password protected neither were encrypted, which is against the policy of both councils. The councils contacted affected individuals but there is no evidence suggesting the data has been accessed. Both councils have improved their security policies and agreed to undergo an ICO audit, the body said.
Ealing Council was fined for breaching the Data Protection Act by issuing an unencrypted laptop to a member of staff. The ICO also said that this way of working had been going on for years and criticised the council for failing to check if policies were being followed or even understood by members of staff.
Hounslow Council’s breach of the DPA was due to a lack of written contract with Ealing Council and a failure to monitor Ealing’s procedures.
"The penalty against Hounslow Council makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected," said deputy commissioner David Smith.
"Both councils have paid the price for lax data protection practices," he added. "I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way."
In November last year the ICO dished out its first fines since its new powers were introduced early in 2010. A private sector consultancy called A4e and Hertfordshire County Council were fined a total of £160,000 for breaching the DPA. A4e lost an unencrypted laptop containing the details of around 25,000 people while Hertfordshire County Council faxed highly sensitive personal details to the wrong number.
"Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough," Smith said.
Rik Ferguson, senior security advisor at Trend Micro told CBR that while the financial loss may not be huge, the fact that the ICO has powers to fine organisations will improve security in the long-term.
"Any powers to enforce policy and fine organisations are a good thing, because the ICO was a little toothless before," he said. "With public sector organisations the taxpayer will be paying anyway. The real damage comes from the impact it will have on their reputation."
