After a cavalcade of data protection breaches the Information Commissioner’s Office (ICO) have finally decided to punish a council. The fine, £120,000, is one of the highest given out yet.
Surrey County Council were investigated for three separate offences, all of which they were found to be negligent for. The first occurred in May 2010, when the mental and physical health information of 241 individuals was sent to the wrong group of email addresses. Instead of the intended recipients, the details were sent to taxi cab and coach firms. Although the council attempted to recall the email, it could not be certain what had happened to the information. To make matters worse, the file was neither encrypted nor password protected, meaning anyone could access it.
The next month the council sent a second email with the personal data of several people to 100 recipients of the council newsletter by mistake. Finally, in January 2011, the Children Services department of Surrey sent confidential health information to the wrong email list.
This catalogue of errors led to the ICO deciding a stern punishment was necessary. Christopher Graham, the Information Commissioner, claimed the fine of £120,000 reflects the seriousness of the incident in his statement:
“The fact that the first breach saw sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”
“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated.”
“Punitive measures are decided on a case-by-case basis," he said. "We have to look at the sensitivity of the information, whether the organisation in question did enough to prevent the breach, and the ability of the organisation to pay. Every organisation and every data breach is different.”
Christopher Graham had previously stated he didn't want to use the 'big stick' of fines to enforce data protection, but hopefully this represents the ICO taking a more hard-line approach to fining those responsible for data breaches. In recent cases there have been far too many councils and organisations given the option of signing an undertaking to improve performance rather than pay an actual fine. Here at Big Brother Watch we firmly believe that only fines will alter the behaviour of those organisations with a lackadaisical approach to the protection of sensitive information.