SaaS Agreements – Data Protection – Further Fines by Data Commissioner

On the 8th of February 2011 Ealing and Hounslow Councils were fined £80,000 and £70,000 respectively by the Data Commissioner for serious breaches of the Data Protection Act (DPA) following the theft of two laptops from the house of an employee of Ealing Council.

Data Protection Act 1998

The Data Commissioner has the power to impose a fine of up to £500,000 on a data controller who seriously breaches the DPA, if the contravention was of a kind likely to cause substantial damage or substantial distress. The contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

Ealing and Hounslow County Council Cases

Ealing Council operated an out-of-office service on behalf of both councils using nine staff working from home with laptops. As part of the service information about individuals  including names, dates of birth, gender, ethnicity, addresses and telephone numbers were stored on the laptops. Following the theft of two laptops the personal data of approximately 1,000 clients of Ealing Council and 700 clients of Hounslow Council was potentially compromised.

Reason for the Fines

According to the ICO, Ealing Council breached the Seventh Data Protection Principle of the 1998 UK Data Protection Act, as it issued unencrypted laptops, and had insufficient processes in place to check that the relevant policies were being followed or understood by staff. Hounslow Council was found to have breached the Act for failing to have a written contract in place with Ealing Council.

The fines were imposed even though to date there is no evidence that any data on the computers has been accessed and no complaints have been received by the data controller from clients.

How to Avoid Fines

If the Council had taken the simple step of encrypting the data (in accordance with its own policies), thousands of people’s privacy would not have been potentially compromised.

In view of the above, it is imperative that you take reasonable steps to avoid data protection breaches to limit your exposure to having such fines imposed. The following basic precautions should be taken:

  • ensure that all laptops, memory sticks and backup tapes are encrypted;
  • have appropriate data protection policies and procedures in place;
  • carry out due diligence on your security procedures and those of your sub-contractors and third parties;
  • audit compliance with your  security procedures of sub-contractors and third parties regularly.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: