Privacy matters
Alison Deighton reviews the monetary penalties levied so far by the Information Commissioner on public authorities for data breaches, and explains how they can be avoided.
When the Information Commissioner was given powers to impose fines for serious data protection breaches, few of us imagined that the public sector would be the focus of financial penalties. However, nearly a year after the power to fine came into force, four of the six fines issued to date have been imposed on local authorities. Perhaps, on closer scrutiny, this is not so surprising when you consider the large volumes of personal data handled by local authorities and the highly sensitive nature of a lot of that data. So, what can we learn from the fines imposed so far, and how can other local authorities avoid a similar fate?
To fine or not to fine…
Before looking in any detail at the circumstances in which fines have been imposed it is worthwhile revisiting the circumstances in which the Information Commissioner is permitted to impose a fine. Three conditions must be met. Firstly, there must have been a serious breach of one or more of the data protection principles. Secondly, the breach must be likely to cause substantial damage or substantial distress. Thirdly, and most importantly for those responsible for compliance, the breach must have been deliberate or the data controller must have known there was a risk of a breach and failed to take reasonable steps to prevent it.
This last factor is key. If an organisation can demonstrate that it has taken reasonable steps to prevent a breach, then the Information Commissioner will not be entitled to impose a fine. It is therefore crucial for organisations to ensure that they have robust privacy compliance procedures in place and that those procedures are monitored and enforced effectively. Not only will this allow an organisation to defend itself against potential fines, it will also greatly reduce the likelihood of breaches occurring in the first place.
Fines to date
Turning to the fines imposed by the Information Commissioner so far, there are a number of themes which emerge which provide some guidance as to the circumstances in which fines are likely to be imposed – and therefore where compliance resources should be focused – and also on specific actions that authorities can take to avoid similar breaches themselves.
I will now examine the facts of each breach and the actions highlighted in the Information Commissioner's monetary penalty notice which could have been put in place to avoid the breach.
Breach 1
A £120,000 fine was imposed when a spreadsheet containing sensitive personal data about 214 adult social care users was mistakenly sent to an external distribution list instead of to an internal colleague. This breach followed two similar incidents where emails containing personal data had been sent to incorrect group mail addresses.
Actions:
- Provide appropriate IT training and support to staff
- Establish naming conventions for group email distribution lists so that the recipients cannot be mistaken
- Consider encrypting emails containing sensitive personal data
Breach 2
An £80,000 fine was imposed when laptops containing sensitive personal data relating to around 800 individuals were stolen from an employee's home. The laptops were used by a home worker who was part of a team responsible for providing an out of hours service. The laptops were unencrypted, in breach of the council's own policies.
Actions:
- Ensure all laptops and mobile devices are encrypted
- Provide laptop security devices (e.g. cables and locks) to home workers
- Monitor staff usage of laptops
- Carry out working from home risk assessments
- Consider enabling remote access to main servers out of hours to avoid storing personal data on laptops
Breach 3
A £70,000 fine was imposed for failure to take adequate steps to protect the security of personal data in relation to the data processing activities carried out by the council in the above example.
Actions:
- Ensure written contracts are in place with data processors
- Ensure data processor contracts contain adequate obligations in relation to security, including a requirement to encrypt all mobile devices
- Carry out regular monitoring of third party data processing activities to ensure compliance with security requirements
Breach 4
A £100,000 fine was imposed in relation to two incidents where sensitive personal data (relating to a child abuse case and care proceedings) were sent by fax to the wrong recipients.
Actions:
- Put in place 'phone ahead' and 'confirmation of receipt of fax' procedures when sending sensitive data by fax
- Consider alternative more secure means of transmission of sensitive personal data
- Nominate officers who are authorised to send faxes
- Establish a record of faxes sent/confirmations received
- Carry out an audit of pre-set fax numbers
Breach 5
A £60,000 fine was imposed when an unencrypted laptop containing personal data (including sensitive personal data) relating to 24,000 clients was stolen from an employee's home.
Actions:
- Ensure all laptops and mobile devices are encrypted
- Provide laptop security devices (e.g. cables and locks) to home workers
- Require employees to confirm periodically that they are working in accordance with information security policies and procedures
- Consider enabling remote access to main servers out of hours to avoid storing personal data on laptops
Breach 6
A £1,000 fine was imposed when personal data (including sensitive personal data) relating to at least 6,000 individuals was leaked on the internet. The data was hosted by a third party and was subject to a distributed denial of service attack following threats from online activists. The ICO indicated that, if the individual had not been of limited means, a fine of £200,000 would have been imposed.
Actions:
- Obtain professional IT advice when procuring web-hosting services and in relation to the implementation and development of IT systems
- Ensure that web-hosting packages are appropriate for business use
- If threats of DDOS attacks are made take appropriate steps to increase security measures as necessary
Emerging themes and lessons to be learned
It is worth noting that all of the breaches for which fines have been imposed have related to breaches of the seventh data protection principle, namely the obligation to take appropriate measures to keep personal data secure. All of the breaches have also involved the unauthorised disclosure or loss of sensitive personal data and all of the fines imposed on local authorities either involved unencrypted laptops or sending of data to the incorrect recipient.
Local authorities examining their own compliance procedures would therefore do well to prioritise security measures (particularly ensuring that all laptops and other mobile devices are encrypted) and the procedures and training they have in place in relation to the handling of sensitive personal data (particularly the means of sending data to third parties).
If sensitive personal data is being sent externally it will be worthwhile examining whether faxes should ever be used. Encrypted emails and password-protected electronic documents are a more secure means of transmission and make it much less likely that an unintended recipient would ever be able to view unauthorised data even if a mistake is made.
Home-working procedures should also be assessed as a priority to ensure not only that work-issued laptops are encrypted, but also that employees are aware of and are complying with information security policies. In the case of Breach 2, one of the laptops stolen from the employee's home was the employee's own laptop, which the employee was also using for work purposes. Home working policies should clearly specify the equipment which employees are permitted to use for work purposes and the information security measures that must be taken when using such equipment (including encryption requirements and physical security requirements such as use of cable locks).
Breach 3 highlights the importance of putting in place appropriate written procedures when sharing personal data with other local authorities. Often local authorities will subject contracts with private suppliers to a much higher level of scrutiny than arrangements with other local authorities. While this may be appropriate in some circumstances, it is clear that where personal data is being shared, the procedures and obligations put in place in relation to data security need to be just as robust as they would be for a private supplier.
These common themes emphasise not only the importance that the Information Commissioner places on these issues but also the ease with which mistakes can be made. In the case of Breach 4, the breaches occurred due to manual errors when typing in fax numbers. In Breaches 2 and 3, both councils had policies in place requiring laptops to be encrypted but failed to take steps to ensure that their own policies were being followed and enforced in practice.
It is clearly not sufficient to have good policies in place. Appropriate training and monitoring procedures need to go hand-in-hand with those policies to ensure that employees understand what those policies mean for their day to day operations. Local authorities that can demonstrate that they have implemented a comprehensive privacy compliance programme will be best placed to defend any enforcement action by the Information Commissioner and to resist a fine – in these straitened economic times the budget expended on ensuring privacy compliance may well prove to be money well spent.
Alison Deighton is an associate and Head of Data Protection at national law firm TLT. She can be contacted on 0117 917 8016 or This email address is being protected from spambots. You need JavaScript enabled to view it..