On the 8th of February 2011 Ealing and Hounslow Councils were fined £80,000 and £70,000 respectively by the Data Commissioner for serious breaches of the Data Protection Act (DPA) following the theft of two laptops from the house of an employee of Ealing Council.
Data Protection Act 1998
The Data Commissioner has the power to impose a fine of up to £500,000 on a data controller who seriously breaches the DPA, if the contravention was of a kind likely to cause substantial damage or substantial distress. The contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.
Ealing and Hounslow County Council Cases
Ealing Council operated an out-of-office service on behalf of both councils using nine staff working from home with laptops. As part of the service information about individuals including names, dates of birth, gender, ethnicity, addresses and telephone numbers were stored on the laptops. Following the theft of two laptops the personal data of approximately 1,000 clients of Ealing Council and 700 clients of Hounslow Council was potentially compromised.
Reason for the Fines
According to the ICO, Ealing Council breached the Seventh Data Protection Principle of the 1998 UK Data Protection Act, as it issued unencrypted laptops, and had insufficient processes in place to check that the relevant policies were being followed or understood by staff. Hounslow Council was found to have breached the Act for failing to have a written contract in place with Ealing Council.
The fines were imposed even though to date there is no evidence that any data on the computers has been accessed and no complaints have been received by the data controller from clients.
How to Avoid Fines
If the Council had taken the simple step of encrypting the data (in accordance with its own policies), thousands of people’s privacy would not have been potentially compromised.
In view of the above, it is imperative that you take reasonable steps to avoid data protection breaches to limit your exposure to having such fines imposed. The following basic precautions should be taken:
- ensure that all laptops, memory sticks and backup tapes are encrypted;
- have appropriate data protection policies and procedures in place;
- carry out due diligence on your security procedures and those of your sub-contractors and third parties;
- audit compliance with your security procedures of sub-contractors and third parties regularly.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS, ASP AGreement – Data Protection – Data Commissioner Imposes First Fines in UK
- SaaS, ASP Agreements – FAQs – Data Protection
- SaaS, ASP Agreements – Data Protection, Sub-Contractors & Model Clauses
- SaaS, ASP Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS, ASP Agreements – Data Protection and Safe Harbor, Issues with German Customers
- SaaS, ASP Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS, ASP Agreements – Data Protection – Data Stored in the USA
- SaaS, ASP Agreements – Essential Elements
- SaaS Agreements – SLAs Explained – Essential Elements
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement
- SaaS, ASP Agreements – FAQs – Confidential Information
- SaaS, ASP Agreements – FAQs – Security
- SaaS, ASP Agreements – FAQs – Software Licence
- SaaS, ASP Agreements – FAQs – Source Code and Object Code
- SaaS, ASP Agreements – FAQs – Escrow
- Cloud Computing and the Legal Cloud
- SaaS, ASP Agreements, Software on Demand – Confused?