Winchester Vacancies

Breach of the peace

Two major developments in data protection have emerged in 2011 which should be of great concern to those in local government, writes Tim Smith.

Fines for breaches of the Data Protection Act

The Information Commissioner has always had the power to impose fines. Historically these did not always cause enormous concern as the maximum penalty was £5,000. However, following a government consultation the maximum fine was increased in April 2010 to £500,000. These increased fines can have a dramatic impact when coupled with the significant costs that can be incurred where data is lost and measures have to be put in place to prevent that loss causing harm. There is also the reputational harm that can be done through the loss of data.

The Information Commissioner made it clear, when lobbying for the increased penalties, that he was frustrated by the frequency with which some breaches (particularly the loss of unencrypted memory sticks and unencrypted laptops) were happening.  Clearly there was little purpose in lobbying for increased powers if there was no intention to use them.

The first four mandatory penalties have now been imposed. Three of them have been imposed on local authorities.

The first penalty was issued to Hertfordshire County Council in connection with two incidents where council employees faxed sensitive personal information to the wrong recipient. In the first instance a fax meant for barristers’ chambers was sent to a member of the public. Only 13 days later a second misdirected fax containing information relating to the care proceedings of three children was sent to barristers’ chambers unconnected with the case instead of to the court. The Information Commissioner considered that a penalty of £100,000 was appropriate given the fact that the Council’s procedures had failed to stop two serious breaches taking place where access to the data could have caused substantial harm and distress.  In addition, following the first breach, the Council did not take sufficient steps to reduce the likelihood of another breach occurring.  

In the second case, Ealing Council and Hounslow Council were served with penalties after losing two unencrypted laptops containing sensitive personal information.  Ealing Council provided an out of hours service on behalf of both Councils. The service relied on laptops to record information about individuals. Two laptops containing details of approximately 1,700 individuals were stolen from an employee’s home. Whilst the laptops were password protected they were not encrypted. This was in breach of both Councils’ policies. Ealing Council received a penalty of £80,000 and Hounslow Council a penalty of £70,000. In the view of the Information Commissioner, Ealing Council had breached the Act by issuing an unencrypted laptop to a member of staff in breach of its own policy. This had been going on for several years and sufficient checks that policies were being followed are understood by staff had not been undertaken. Hounslow Council had breached the Act by failing to have a written contract in place with Ealing Council and failing to monitor Ealing Council’s procedures for operating the service securely.

The Deputy Information Commissioner said he hoped that “all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way”.

Registering as data controllers

The Information Commissioner has campaigned for a long time to remind councillors who handle personal data that they must check if they need to register as data controllers. This culminated in an announcement in January that councillors must do so or face the risk of a fine of up to £5,000. The Information Commissioner is in the process of writing to councillors across the country to urge them to check they are fulfilling their legal requirements under the Act. Of the 19,000 councillors only 6,000 are currently registered. Whilst not all councillors will need to notify, a failure to do so is a criminal offence and can lead to a fine of up to £5,000 in the Magistrates’ Court or an unlimited fine in the Crown Court.

Councillors need to consider the role in which they are processing personal information. If they do so as a member of a council or as a representative of a major political party they will not normally be required to notify with the Information Commissioner. However, when carrying out their role as representatives of the residents in a ward or as an independent councillor not affiliated to any political party a councillor may need to notify.

The Commissioner has indicated that councillors who have access to and process personal information as members of the council will be treated in the same way as employees. In such circumstances it is the council rather than the elected member which determines what personal information is used and how it is processed and the elected member does not need to notify in their own right. Where councillors are acting as representatives of the residents in their ward they are likely to have to notify, for example if they use personal information to timetable surgery appointments and forward complaints made by local residents.

Tim Smith is a partner at national law firm Berrymans Lace Mawer LLP.

This email address is being protected from spambots. You need JavaScript enabled to view it..