ICO slaps London councils with £150,000 in fines

The Information Commissioner's Office (ICO) has fined two more organisations for failing to encrypt laptops that contained sensitive personal information.

Ealing Council lost the details of almost 1,000 clients and has been fined £80,000, while Hounslow Council lost the details of 700 clients and has been fined £70,000.

The ICO said that there is no evidence that the data on the computers has been accessed, and no complaints from the affected clients, but that there was still a significant risk to privacy.

Deputy ICO commissioner David Smith hopes that the fines will send a warning to other organisations that data security has to be taken seriously.

"Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough," he said.

"Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order, otherwise they too may have to learn the hard way."

However, Chris McIntosh, chief executive of encryption firm Stonewood, questioned whether the fines are sufficient.

"Despite the ICO reporting on incidents such as these and imposing fines, the message on the importance of encryption is clearly not getting through. Valuing each person's details at less than £50 is clearly not enough of a deterrent," he said.

"That a further 1,700 personal details have been put at risk is clearly not acceptable, and fines of £80,000 and £70,000, while significant, do not go far enough to stamp this out."

McIntosh argued that the ICO should be issuing far stronger penalties, pointing out that the watchdog has the power to impose fines of up to £500,000.

"This would clearly serve as a powerful message to those continuing to ignore the risk of putting other people's data at risk," he said.

Stewart Room, a partner at law firm Field Fisher Waterhouse, argued that the ICO fines prove that data controllers must make encryption a top priority.

"As regards the amount of the fines, I do think they will make some people sit up and take notice. They are certainly considerable when you take account of the fact that these organisations fell victim to crime. This is a lot of money to pay out when you fall victim of a burglary."

"It is also possible to detect a trend here, with the focus of ICO's fines so far being restricted to three local authorities and one SME. It will be interesting to see if ICO refocuses on big business. Only time will tell."

The penalties are the third and fourth issued by the ICO, following fines of £100,000 to Hertfordshire County Council and £60,000 to employment services company A4e.