Substantial penalties for data protection breaches
The Information Commissioner issued the first two monetary penalty notices under powers to fine data controllers up to £500,000.
The first penalty notice was served following a local authority employee mistakenly faxing highly sensitive, and potentially damaging, information regarding a court action for child sex abuse to a member of public (rather than to the barristers’ chambers).  This serious breach prompted officials from the Information Commissioner’s office to attend the employer’s premises to check what remedial steps were being taken.  However, that same day, another employee faxed details of care proceedings involving 18 data subjects to the wrong recipient.  The Information Commissioner fined the employer £100,000.
The second penalty notice for £60,000 was served on an employer when an unencrypted laptop containing personal data relating to 24,000 people was stolen from an employee’s home. 
The Information Commissioner has power to issue a monetary penalty notice where there is a deliberate and serious breach of the data protection principles of a kind likely to cause substantial damage or distress.  A notice can also be issued where a breach was not deliberate but the employer knew, or ought to have known, that there was a risk of such a breach and failed to take reasonable steps to prevent it. 
It is essential that employers make sure appropriate security is in place when personal data is sent to third parties removed from the work premises.
Join us on Linkedin
Join us on Facebook
Join us on Twitter