After a cavalcade of data protection breaches the Information Commissioner’s Office (ICO) have finally decided to punish a council. The fine, £120,000, is one of the highest given out yet.
Surrey County Council were investigated for three separate offences, all of which they were found to be negligent for. The first occurred in May 2010, when the mental and physical health information of 241 individuals was sent to the wrong group of email addresses. Instead of the intended recipients, the details were sent to taxi cab and coach firms. Although the council attempted to recall the email, it could not be certain what had happened to the information. To make matters worse, the file was neither encrypted nor password protected, meaning anyone could access it.
The next month the council sent a second email with the personal data of several people to 100 recipients of the council newsletter by mistake. Finally, in January 2011, the Children Services department of Surrey sent confidential health information to the wrong email list.
This catalogue of errors led to the ICO deciding a stern punishment was necessary. Christopher Graham, the Information Commissioner, claimed the fine of £120,000 reflects the seriousness of the incident in his statement:
“The fact that the first breach saw sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”
“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated.”
“Punitive measures are decided on a case-by-case basis," he said. "We have to look at the sensitivity of the information, whether the organisation in question did enough to prevent the breach, and the ability of the organisation to pay. Every organisation and every data breach is different.”
Christopher Graham had previously stated he didn't want to use the 'big stick' of fines to enforce data protection, but hopefully this represents the ICO taking a more hard-line approach to fining those responsible for data breaches. In recent cases there have been far too many councils and organisations given the option of signing an undertaking to improve performance rather than pay an actual fine. Here at Big Brother Watch we firmly believe that only fines will alter the behaviour of those organisations with a lackadaisical approach to the protection of sensitive information.
Have a look at what is being uncovered at Westminster Council who are already on the ICO's watchlist.
http://thecolemanexperience.wordpress.com/
Posted by: thecolemanexperience | 10/06/2011 at 11:50 AM
Is this a joke?
It must be!
Just who pays this fine? Councils don't have any money, only ratepayers have money.
The ICO and Christopher Graham ought to be replaced by someone with at least a rudimentary understanding of finance and economics.
The correct punishment by Surrey Council is the firing of the responsible employees.
Posted by: Nevervote | 10/06/2011 at 04:02 PM
Nevervote, absolutly correct. Public bodies must never be fined since it is the taxpayer who pays the fine in the end. Either through reduced service because the fine cuts into a budget or through increased taxes to cover the fine. With public bodies, the person responsible must be sacked. If it's a management problem then it should be the head of department who goes.
Posted by: SadButMadLad | 13/06/2011 at 04:17 PM
Either through reduced service because the fine cuts into a budget or through increased taxes to cover the fine. With public bodies, the person responsible must be sacked. If it's a management problem then it should be the head of department who goes.
Posted by: burberry uk | 05/07/2011 at 09:47 AM
Here at Big Brother Watch we firmly believe that only fines will alter the behaviour of those organisations with a lackadaisical approach to the protection of sensitive information.
Posted by: cheap oakley sunglasses | 05/07/2011 at 09:48 AM
“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated.”
Posted by: christian louboutin sale | 05/07/2011 at 09:48 AM