The Ministry of Justice’s fine of £180,000 is just one recent example of the Information Commissioner’s Office’s (ICO) statutory power to issue fines for serious breaches of the Data Protection Act and the Privacy and Electronic Communications Regulations.
The fine is particularly notable as it represents one of the highest imposed upon a government department. The fine comes in response to the ministry’s “failing” in allowing data to be handled insecurely by 75 prisons stretching across England and Wales.
Needless to say, businesses and other organisations must take their data protection obligations seriously or they risk exposing themselves to potentially hefty fines too.
What Kind of Data Protection Breach Leads to a £180,000 Fine?
The details of the Ministry of Justice’s data breach begin in May 2012, when the prison service had provided new hard drives to various prisons. Unbeknown to the prison service, the hard drives were not encrypted by default with the result that extremely sensitive information was insecurely handled by prisons for at least a year.
The negative effects of this serious breach were exacerbated when, during this time, a hard drive containing unencrypted information of approximately 2,935 prisoners, including many with links with organised crime, was lost.
Contravention of the Data Protection Act
Following serious contravention of section 55A to 55E of the Data Protection Act, the ICO may impose a monetary penalty notice requiring the data controller/person to make a specified payment under £500,000. The ICO may also impose similar fines if the data controller/person has seriously contravened the Privacy and Electronic Communications Regulations 2003.
Data protection is a form of regulation which is growing ever more important as increasing amounts of personal data are stored by organisations. This is why the ICO has been given statutory power to not only enforce secure data handling but to prevent spam texts, unsolicited live or automated sales calls, and cookies on the internet inducing unwanted marketing communications.
Other Recent Fines from the ICO
Other recent examples of the ICO levying fines include fines against businesses and even the police.
A £50,000 fine was made against a company called Reactive Media Ltd, following an investigation that they had made hundreds of unsolicited calls to people who had not given consent to receive marketing communications.
Furthermore, last March Kent Police were fined £100,000 after leaving highly sensitive and confidential information in a basement at the former police station’s site.
In July, Think W3 Ltd, a travel services company, was handed a £150,000 fine after a serious breach of the Data Protection Act had revealed the details of thousands of people to a malicious hacker.
Strong statutory powers, including the levying of huge fines, are clearly necessary in the age of the internet where the consequences of serious data breaches are often irremediable. Once personal data is out in the public domain it is almost impossible to make it private again.
The powers of enforcement granted to the ICO mean that no organisation is immune.
Organisations facing prosecutions for breaches of the Data Protection Act should seek immediate legal advice.
Prevention is always better than cure though and ensuring that your organisation and employees are aware of their Data Protection responsibilities before an incident occurs is a sound investment. For specialist advice contact Peter Gourri today by email PGourri@rollingsons.co.uk or telephone 0207 611 4848.