You may recall that in our February 2010 Update we set out how the Information Commissioner has the power to levy fines of up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA) in addition to the unlimited fines that the Financial Services Authority (FSA) can impose on regulated businesses. In our October 2010 Update, we reported how the FSA fined Zurich Insurance plc's UK operation £2.275m for data protection related failings. We now draw your attention to how the Information Commissioner can 'bite' in respect of practices closer to home. One of the first fines was imposed for lax procedures in relation to home working.
Many of us choose to take work home for various reasons; perhaps you occasionally burn the midnight oil due to an impending deadline or maybe you have a regular arrangement with an employer. Approximately one third of the employees of A4e Limited (A4e), a public services company, work from home. Recently one such employee was issued with a company laptop for use when working in this way. Unfortunately this employee's home was burgled - the laptop was among the items stolen. It contained sensitive and personal data in respect of 24,000 clients. The data stolen included the names, dates of birth, genders, postcodes and criminal history of the individuals.
As a consequence of the loss of the data, the Information Commissioner's Office (ICO) found that A4e had breached the law by failing to take, "appropriate technical and organisational measures...against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" as set out in the DPA. It found that the contravention was particularly serious given the circumstances e.g. the fact that sensitive personal data, which had been inadequately safeguarded, was stolen causing substantial distress to the data subjects (an event that was deemed to have been foreseeable by A4e). As a result A4e was fined £60,000 (although it was offered an early payment discount of 20%).
So what could have A4e done in order to have avoided this large fine? From the ICO ruling it seems that adopting measures such as the following could help protect a business from being exposed to financial penalties in such a scenario:
- encrypting laptops
- issuing employees with a Kensington lock (a cable specifically designed to secure laptops and other similar equipment)
- providing employees with access to a central secure network in order to avoid data being stored locally on laptops/home computers.
As we have previously written, management teams should therefore consider seriously whether the working practices of their business comply with data protection laws. As the Information Commissioner has said, "get it wrong and you do substantial harm to individuals and the reputation of your business."
For more information, please contact:
0131 228 7102
0141 303 2459
Given your interest in IP & Technology law, you may find some of our other updates particularly useful. Corporate, for example, has been selected by many of our clients who have signed up to IP & Technology. To register for additional bulletins, guides and seminars, visit sign up.
Please feel free to forward on this bulletin to friends and colleagues who may find it of interest and wish to subscribe themselves.
This briefing is written as a general guide only. It is not intended to contain definitive legal advice which should be sought as appropriate in relation to any particular matter.