ICO hands out first data breach fines

The Information Commissioner's Office (ICO) has issued its first fines for breaches of the Data Protection Act.

The UK data watchdog levied fines totalling £160,000 against two organisations that had failed to protect sensitive information.

Hertfordshire County Council was fined £100,000 after faxing information about child abuse and care to the wrong recipients.

The council committed the offence twice in a two-week period, and in the first instance sent the documents to a member of the public. The council reported both breaches to the ICO.

"It is difficult to imagine information more sensitive than that relating to a child sex abuse case," said information commissioner Christopher Graham.

"I am concerned at this breach, not least because the local authority allowed it to happen twice within two weeks."

Employment services company A4e, meanwhile, was fined £60,000 after losing an unencrypted laptop containing the personal information of some 24,000 people who had sought legal advice in Hull and Leicester.

A4e reported the loss to the ICO, and contacted the people whose data may have been compromised.

"The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data," said Graham.

"These first monetary penalties send a strong message to all organisations handling personal information. Get it wrong and you do substantial harm to individuals and the reputation of your business. You could also be fined up to £500,000."

The ICO has been criticised in the past for the way it has handled data breaches, perhaps most notably in the Google Street View case, but has insisted that more fines are likely to follow.

"The power to fine has only been there since April. Many of the cases from before that date may have warranted fines, and more could follow in due course, " said a spokesman.