On the 9th February 2011 a second wave of fines was imposed by the Information Commissioner’s Office (ICO) for breaches of the Data Protection Act. This follows the issuing of monetary penalties in November 2010 against Hertfordshire County Council for two serious incidents regarding protection of personal data and the loss of two unencrypted laptops.
The latest fines were awarded against Ealing Council (£80,000) and Hounslow Council (£70,000). Both cases involved the loss of unencrypted laptops from an out-of-hours service employee’s home. Contained on the laptops were details of approximately 1,700 individuals, almost 1,000 of whom were clients of Ealing Council with the balance being clients of Hounslow Council. Although the laptops were password-protected, they were in breach of both councils’ policies by not being encrypted; there was no protection for data at rest on the laptops. At this time there have been no complaints from clients and no evidence to prove that the data has been accessed.
The ICO ruled that Ealing Council had breached both the Data Protection Act and their own policies by issuing an unencrypted laptop to a member of staff. The ICO reported that, although the policies had been in place for several years, there were insufficient checks that they were understood and being followed by staff.
The ICO determined that Hounslow Council breached the act by failing to ensure that a written contract was in place with Ealing Council regarding the handling and protection of the personal information. In addition, there was no monitoring by Hounslow Council of Ealing’s procedures for operating the service securely. This highlights the fact that, when personal data is transferred, someone within the originating organisation has a duty to ensure that the information is protected securely and to their requirements. Policies, processes, documentation and contracts must include clear requirements for protection of this data. These items must all be reviewed at regular intervals to ensure they are up-to-date, that the risks associated with the data remain unchanged, and that the service provider can demonstrate that all requirements are being met.
SC Magazine reports the ICO’s Deputy Commissioner, David Smith, as saying: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.”
The ICO will no doubt continue to impose these fines until organisations get the message that the ICO takes this kind of security breach very seriously and that steps really must be taken to protect personal data in the event of laptops being lost or stolen. Whilst the fines serve as a wake-up call to all organisations that hold personal data, they also highlight the importance of education and training to ensure that staff are fully aware of the duty of care they have for this type of data. In particular, staff need to be clear that they are responsible for protecting any corporate laptop (or other portable device) which they remove from the normal office environment. On the other hand, employers need to be sure not only that the necessary security policies and procedures are in place, but also that they are being heeded, on a day-to-day basis, by all their staff .
With reference to the ICO fines, Graeme Stewart, Business Development Director for the UK Public Sector at Sophos, asks: “…wouldn’t it be far more beneficial if this money was spent on finding a proper remedy: user education; remedial action for those whose privacy has been breached; or legal training for people who aren’t lawyers within the authority to explain what the legislation says and means?”
Meanwhile, Kevin Bocek, Director of Product Marketing at IronKey, believes that the fines are having a positive impact “as we’re seeing large parts of the government adopting encryption and make staff demonstrate a legitimate business reason for taking data outside the organisation. Sadly, these fines and actions by the ICO will continue until this practice becomes the norm and not the exception.”
Regency ITC can provide you with the expertise and experience you need to help prevent your organisation falling foul of the Information Commissioner and to keep your professional reputation intact. By conducting Privacy & Business Impact Assessments, supported by a full risk assessment on your IT infrastructure and user policies, Regency can help you to identify current risks and advise you on how to reduce them. In short, we can support you in taking all reasonable steps to protect the personal data that you hold.
For more information on our services, please visit us at www-test.regencyitc.co.uk or call 01242 225 699.