SaaS Agreements – Data Protection – Data Commissioner Imposes First Fines in the UK

On the 24th of November 2010 an employment services company A4e and Hertfordshire County Council were fined £60,000 and £100,000 respectively by the Data Commissioner for serious breaches of the Data Protection Act (DPA).

Data Protection Act 1998

The Data Commissioner has the power to impose a fine of up to £500,000 on a data controller who seriously breaches the DPA, if the contravention was of a kind likely to cause substantial damage or substantial distress. The contravention must either have been deliberate or the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

A4e and Hertfordshire County Council Cases

A4e allowed an employee to take home a laptop containing personal information, including the sensitive personal data of 24,000 people on an unencrypted laptop. The unencrypted laptop was stolen from the employee’s house and data was accessed due to the lack of encryption.

In June 2010 Hertfordshire City Council accidentally faxed child sexual abuse information to the wrong recipients twice in a fortnight.

In both cases the loss of data was reported to the Data Commissioner’s office.

When will Fines be Imposed?

The Data Commissioner said its office would take the following factors into consideration when considering whether or not to impose fines for data breaches:

  • whether the breach is ‘serious’; and
  • whether it leads to serious harm or distress for the data subjects involved.

How is the Level of the Fine Determined?

In deciding upon the level of the fine the Data Commissioner will consider:

  • the size of the data controller organisation;
  • the financial and other resources of the data controller;
  • whether the breach is a “one-off”;
  • the type of data that is lost or disclosed;
  • the duration and extent of the breach;
  • the steps taken to remedy the breach.

In the A4e case a fine was imposed because A4e did not take reasonable steps to avoid the loss of the data. It issued the employee with an unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

In the Hertfordshire City Council case the fine was imposed because of the sensitive nature of the information and the fact that the same breach occurred within a period of 2 weeks.

How to Avoid Fines

If A4e had taken the simple step of encrypting the data, thousands of people’s privacy would not have been potentially compromised.

In view of the above, it is imperative that you take reasonable steps to avoid data protection breaches to limit your exposure to having such fines imposed. The following basic precautions should be taken:

  • ensure that all laptops, memory sticks and backup tapes are encrypted;
  • have appropriate data protection policies and procedures in place;
  • carry out due diligence on your security procedures and those of your sub-contractors and third parties;
  • audit compliance with your  security procedures of sub-contractors and third parties regularly.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: