On 6 April 2010 the Information Commissioner received the much anticipated new power, under the Criminal Justice and Immigration Act 2008, to impose monetary penalties on those who commit serious breaches of the Data Protection Act 1998.
Prior to April 2010, the Commissioner’s powers were limited; a shortcoming highlighted by The Consulting Association case, where Ian Kerr was fined only £5,000 plus costs following his successful prosecution for holding a secret database of 3,213 construction workers’ details (the prosecution having been brought for the offence of failing to notify as required by s 17 of the Act). This contrasts with the powers available to other regulatory bodies. For example, the FSA were able to impose a fine of £1million on the Nationwide Building Society for failing to have effective systems and controls in place to manage its information security risk.
The Commissioner felt that, in order to effectively police and regulate compliance with the Act, he required greater powers therefore and now, under ss 55A and 55B of the Data Protection Act 1998, the Commissioner may issue a monetary penalty notice against a data controller who has committed a serious breach of the Act, up to a maximum penalty of £500,000.
Section 55A says that:
(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that-
(a) there has been a serious contravention of section 4(4) by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(2)…the contravention was deliberate; or
(3) …the data controller-
(a) knew or ought to have known-
(i) that there was a risk that the contravention would occur, and
(ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
(b) failed to take reasonable steps to prevent the contravention.
There is a prescribed procedure whereby the Commissioner issues a notice of intent and provides time for data controllers to make representations on the proposed amount of the penalty before the monetary penalty notice is issued.
Guidance
The Commissioner has said that the underlying aim of the power to impose monetary penalties is to promote compliance with the Act and that a monetary penalty will be imposed only in the most serious situations. In order to assist data controllers in assessing what constitutes ‘the most serious situations’ the Commissioner has issued Guidance[1] and a Data Protection Regulatory Action Policy.[2] The various monetary penalty notices that have been imposed under the new powers also give an indication of how the Commissioner may judge cases of breach in the future.
The Guidance sets out lists of factors that would make the imposition of a monetary penalty more or less likely. For instance, the nature of the personal data concerned and the duration and extent of the contravention, together with the number of individuals actually or potentially affected, will all be taken into account when considering the seriousness of the contravention.
A deliberate contravention (as appears was the case with the Consulting Association) is more likely to lead to a monetary penalty than accidental contravention, though a series of accidental breaches, or a serious breach which occurred as a result of a cavalier approach to data security, may still be treated as justifying a monetary penalty.
Monetary Penalties
A number of monetary penalties have been imposed by the Commissioner to date under the new powers, and the notices provide guidance on how the Commissioner may view the circumstances of a particular breach.
Hertfordshire County Council (‘HCC’)
On 11 June 2010 a member of staff working in the Childcare Litigation Unit of Hertfordshire County Council faxed 17 pages containing sensitive personal data relating to seven individuals to a barristers’ chambers in London, who were instructed by HCC in relation to a sexual abuse case.
The fax machine in the Unit had the fax number for Chambers programmed into its memory and had an ‘auto dial’ button. Having used the ‘auto dial’ button in accordance with the Unit’s standard practice and found the line to be busy, the member of staff then dialled the full number into the fax machine and sent the fax. Unfortunately the member of staff had used the wrong STD code, and the fax was instead sent to a member of the public.
The member of the public who received the fax claims that this also happened earlier the same day although HCC has no record of this and no evidence was produced to support this claim. The member of the public immediately e-mailed HCC to make them aware of the error – HCC was unaware of it up to that point.
Both HCC and the member of the public reported the security breach to the Commissioner’s office; due to the confidential and sensitive nature of the data, HCC also obtained an injunction prohibiting the member of the public from disclosing any information about the sexual abuse case and ordering him to destroy the data.
Following the incident on 11 June 2010 HCC began an immediate investigation and co-operated with the Commissioner’s staff, who also launched an investigation.
On 24 June 2010 (the same date as a meeting between HCC and the Commissioner’s staff) another member of the Unit sent 11 pages containing confidential and sensitive personal data by fax to barristers’ chambers. The intended recipient for the faxed documents this time was actually the Court Manager at Watford County Court. As a fax header sheet was used on this occasion (as a result of the tightening of procedures following the first breach), counsel’s clerk informed HCC of its error, and it is understood that counsel’s clerk destroyed the documents without examining the information.
The investigation by HCC revealed that the number dialled on the fax machine had again been input manually rather than using the ‘auto dial’ facility in accordance with HCC’s practice. The disclosed documents contained confidential and sensitive personal data relating to a total of 18 data subjects including (but not limited to) names and dates of birth for three children who were the subject of care proceedings, care arrangements and six adults who were identified by their name and familial relationship. A moratorium was placed on the sending of any faxes by HCC until a secure procedure was in place (this was lifted on 28 June 2010 once a secure fax system had been implemented).
HCC took remedial action, but the Commissioner assessed that the requirements for imposing a monetary penalty had been satisfied:
· there had been a serious contravention of Principle 7 of the Act (the obligation to take appropriate technical and organisational measures against unauthorised processing of personal data);
· the contravention was of a kind likely to cause substantial distress; and
· HCC ought to have known that there was a risk that the contravention would occur, and failed to take reasonable steps to prevent it.
The Commissioner issued a notice indicating that he intended to impose a monetary penalty of £100,000, and indicated that he had taken the following aggravating and mitigating factors into account.
Aggravating factors
· the information concerned was highly confidential and sensitive;
· there were two similar breaches in a two-week period;
· the nature of the information meant that the breaches were likely to cause substantial damage and distress to the data subjects;
· the breach was due to HCC failing to take appropriate organisational measures to guard against the breach;
· lack of swift, effective remedial action following the first incident; and
· an apparent reluctance by senior managers to accept that re-occurrence may occur when alerted (after the first breach) by the Commissioner’s staff.
Mitigating factors
· there was no previous similar security breach by HCC that the Commissioner was aware of;
· there was no evidence to support the claim by the recipient of the first fax that this has happened before;
· the two breaches concerned personal data relating to only 29 and 18 data subjects respectively;
· to the Commissioner’s knowledge the personal data involved in both security breaches had not been further disseminated;
· the obtaining of the injunction to limit further dissemination of the data;
· the breach was voluntarily reported to the Commissioner;
· further remedial action was taken following the second security breach;
· there was insufficient time to consider the points raised by the Commissioner’s staff prior to the second security breach;
· HCC fully co-operated with the Commissioner and consented to an audit, if necessary;
· the liability to pay the monetary penalty falls on the public purse (although penalties are paid into the Consolidated Fund); and
· there would be significant impact on HCC’s reputation as a result of these security breaches.
The Commissioner also took into account the fact that this was one of the first monetary penalty notices issued by the Commissioner and was likely to set a precedent by which future notices would be judged.
A4E Limited
This case concerned the old data protection chestnut of the lost, unencrypted laptop. A4E Limited was contracted by the Legal Services Commission to operate Community Legal Advice Centres in Hull and Leicester and has contracts with other public sector organisations. Under the contract, A4E was required to provide various reports containing statistics and other data.
One of A4E’s employees had been issued with a laptop on the understanding that it would be used for home working. The employee loaded personal data onto the laptop in order to work at home; the only security was password protection. The employee was the victim of a burglary and the laptop was stolen and not recovered.
The laptop held 24,000 clients’ records, some of which contained sensitive personal data including the client’s criminal record, ethnic origin and health details. Although A4E had initiated a programme of encryption and port control access across its laptop fleet, that laptop was scheduled to be encrypted at a later date.
The Commissioner served a notice indicating that he intended to issue a monetary penalty on A4E of £60,000 as he was satisfied that the requirements to do so (as set out in the HCC example above) had been met, and the following aggravating and mitigating factors were taken into account in calculating the monetary penalty.
Aggravating factors
· even though a risk assessment had been carried out, the laptop was unencrypted, despite the employee working at home without remote access to the central secure server;
· no security devices were provided to home workers;
· a large amount of sensitive data was lost, and a significant number of data subjects (3,200) had made contact after being informed of the loss;
· the decode key to some of the sensitive personal data was held on the same laptop;
· the laptop had not been recovered, and logs showed that an unauthorised attempt had been made to access the data; and
· the contravention was serious because of the sensitive nature of some of the data.
Mitigating factors
· There had been no similar prior breach by A4E that the Commissioner was aware of;
· a risk assessment had been carried out;[3]
· the loss was reported within four hours and an internal investigation began the same day;
· the data was unlikely, on its own, to be capable of use for fraudulent purposes;
· the breach was voluntarily reported to the Commissioner;
· A4E was fully co-operative with the Commissioner during the investigations;
· A4E wrote to all of the data subjects affected by the breach and set up a free helpline to provide advice; and
· substantial remedial action had been taken.
Ealing Council
Ealing provided an out-of-hours service operated by staff working from home; those staff receive contact from various sources between the hours of 5pm and 9am and, although details were transferred to the main network when possible, contact details were maintained on the laptops to allow contact in future.
Sensitive personal data (including data concerning the data subjects’ ethnicity) was held by one member of staff on a personal laptop and a laptop issued by Ealing, both of which were stolen during an opportunistic theft. 958 clients of Ealing were affected, together with 698 clients of Hounslow Council (see below). Both laptops were unencrypted, though Ealing had a policy stating that all laptops and removable media should be encrypted.
Although Ealing had policies in place, and the member of staff had been working for them for 12 years, there was no evidence that the member of staff had read and understood the applicable policies, that the member of staff’s supervisors had ensured that the policies were being complied with, or that the required working from home assessments had been performed.
Following the incident, an Emergency Data Breach Workforce was appointed to evaluate the situation and monitor the remedial activity taken. As of May 2010, all laptops and memory sticks were fully encrypted. Ealing also informed Hounslow Council so that it could take its own remedial action. Further, new polices were rolled out to staff, together with training. Ealing also indicated that it was willing to undertake an audit by the Commissioner’s office.
The Commissioner indicated an intention to issue a monetary penalty of £80,000 for a breach of Principle 7 of the Act, and took into account the following aggravating and mitigating factors.
Aggravating factors
· the fact that the breaches involved sensitive personal data relating to nearly 800 data subjects;
· the data controller issued an unencrypted laptop to a member of staff in contravention of its own policies;
· no risk assessment was carried out at the member of staff’s home, in breach of policy;
· there was no monitoring of equipment usage by staff; and
· the data controller had sufficient financial resources to pay the penalty without causing undue financial hardship.
Mitigating factors
· both laptops were password protected (though they were not encrypted);
· security policies were in place;
· there was no evidence to suggest that the lost personal data had been accessed and no complaints had been received from data subjects at the date of the notice;
· the breach was voluntarily reported and Ealing was fully co-operative with the Commissioner;
· helplines were established to assist and provide information, and Ealing informed the data subjects of the breach;
· a programme of encryption was fully rolled out post-breach;
· Ealing was prepared to consider an audit by the Commissioner;
· the liability to pay the monetary penalty would fall on the public purse (although penalties are paid into the Consolidated Fund); and
· there was a significant impact on Ealing’s reputation as a result of the security breach.
The Commissioner noted that Principles 3 and 5 of the Act had also been breached in that irrelevant and excessive personal data was held on the laptops and information had been kept for longer than necessary.
Hounslow Council
The breach leading to the imposition of a monetary policy of £70,000 on Hounslow was the loss of the laptops by Ealing Council referred to above.
Although Hounslow had a contract in place with Ealing for the processing of personal data:
· the contract expired in 2009;
· the expired contract did not include any requirements regarding the security of personal data;
· Hounslow did not monitor Ealing’s compliance with data protection law; and
· prior to 2009 Hounslow had no security policy in place, with the only reference to data protection compliance being a basic list of “do’s and don’ts”.
The list of aggravating factors in this case were similar to those referred to above with regard to the monetary penalty imposed on Ealing, but included:
· the fact that there was no written contract in place between Ealing and Hounslow, and no assurances as to how personal data would be processed by Ealing;
· there was no monitoring of Ealing’s processing of data by Hounslow; and
· all of the ‘data processor’ requirements of Principle 7 had been contravened.
In addition to the mitigating factors set out in Ealing’s penalty notice, the fact that Hounslow had appointed Ealing to process data on its behalf, and should have been entitled to expect that Ealing (as a local authority) would be familiar with its data processing responsibilities, was a mitigating factor in this case. In addition, the breach was exacerbated by circumstances outside the direct control of Hounslow and, following the breach, Hounslow took remedial action and put in place a Memorandum of Agreement between it and Ealing for the processing of personal data.
Andrew Jonathan Crossley t/a ACS Law (‘AC’)
AC was the sole practitioner in the practice ACS Law. As has been widely reported in the legal and national press, ACS Law was involved in pursuing alleged infringers of copyright in music tracks, computer games, and films (often involving adult content).
AC’s mode of operation sometimes attracted criticism. After obtaining court orders ordering ISPs to disclose names and addresses of alleged infringers to him, he would write to hundreds and sometimes thousands of individuals at any one time, alleging infringement and demanding immediate payment of a fixed sum to settle the claim. Various press stories reported individuals who had received such letters and who claimed to have no knowledge of the alleged infringement. His mode of operation was such that it attracted criticism in the House of Lords during the passage of the Digital Economy Bill.
In early 2009 AC decided to move web-hosting company as his existing provider was no longer able to meet his online business needs (he was experiencing significant downtime of web-pages and e-mail accounts). He asked one of his legal assistants, who had no IT qualifications, to locate an alternative provider, and was recommended a company on the basis of a basic internet search. In April 2009 AC elected to use this web-host and subscribed to a ‘home’ web-hosting package at a cost of £5.99 per month. It is clear (perhaps obvious from the price alone) that this package was neither intended nor suitable for significant business use – the web-host provided no guarantees in relation to data security, and the data was held as part of a ‘shared server’ package.
In September 2010 AC’s web server was targeted in a Distributed Denial of Service attack by an online group of activists. AC’s website was taken offline and suspended by the web-host to prevent the DDOS attack from compromising the web-host’s other client accounts. After the DDOS attack began, a file containing e-mails from AC’s accounts was made available on a torrent site and from there was shared and distributed to other sites. Any person accessing the torrent site was able to read and download the spreadsheets of names and addresses provided by ISPs and the various other attachments that were stored on AC’s system (including evidence submitted to AC, by some of those in receipt of a letter of claim, of illness or impaired mental health). The Commissioner estimates that at least 6,000 individuals were affected.
Following the incident and press reports, AC reported the loss of data to the Commissioner and other relevant bodies. He discontinued his contract with the web-host, and commissioned a former client with IT/business analysis skills to conduct a review into his IT systems and processes and make recommendations. This produced a report which made over 20 recommendations including basic steps such as the installation of a firewall.
The report was critical of AC’s IT security and the technical skills of the staff who managed the IT systems, and recommended that AC employ an IT professional to manage and evaluate the security of his IT systems. AC states that he spent in the region of £20,000 in response to the incident.
AC subsequently ceased trading, however the Commissioner was of the view that the breach of Principle 7 of the Act was such that the requirements for the imposition of a monetary penalty were satisfied. In assessing the amount of the penalty, the Commissioner took the following aggravating and mitigating factors into account.
Aggravating factors
· implementation of appropriate security measures could have prevented loss of data;
· the data lost included sensitive personal data;
· the data was distributed worldwide and could be available to third parties indefinitely;
· the contravention was likely to cause substantial damage and distress to data subjects;
· AC had not taken any professional IT advice regarding setting up and maintaining his IT systems;
· AC had not followed guidance published by the Commissioner in relation to data security or complied with BS ICO/IEC 27001;
· initially, AC was not fully co-operative with the Commissioner’s office;
· the fact that AC was a lawyer should have meant that he was aware of his obligations under the Act; and
· AC’s lack of investment in IT advice and data security meant that the business had made considerable savings.
Mitigating factors
· there had been no similar breach by AC of which the Commissioner was aware;
· AC had obtained an injunction against two UK based individuals involved in the attack and one limited company to prevent further dissemination of the lost data;
· the breach was voluntarily reported to the Commissioner;
· some remedial action had been taken and AC had spent around £20,000 as a result of the incident;
· ACS Law was a small business and could not be expected to have extensive in-house security expertise;
· AC was ultimately co-operative with the Commissioner;
· liability to pay the monetary penalty would fall on an individual, and the business activity leading to the attack had subsequently ceased; and
· there was a significant impact on the reputation of AC as a result of the security breach.
The Commissioner imposed a monetary penalty of £1,000, but indicated that were the monetary penalty not to be paid by an individual, a monetary penalty of £200,000 would be reasonable and proportionate. AC made written representations to the Commissioner, sworn on oath, of the likely impact of the monetary penalty on him as an individual.
Surrey County Council (SCC)
One of SCC’s Adult Social Care Teams received an e-mail asking them to populate an Excel spreadsheet with data regarding the support needs of adult social care service users. Much of the information requested was of the kind that would be classified as sensitive personal data under the Act, being data relating to physical or mental health. One of the individuals carrying out the task was deputising for another member of the team, and whilst she was aware of the sensitive nature of the information and had received advice from a colleague, she was unfamiliar with Excel and had limited experience of computers, having not attended all appropriate IT training.
When returning the completed spreadsheet to an internal colleague the team member erroneously copied the e-mail to a global e-mail distribution list consisting of 361 transportation companies (comprising taxi and cab hire and coach and mini bus firms) used by SCC.
Various steps were taken after this breach to report the breach to both the data subjects and the Commissioner, and to take action to ensure that the breach did not occur again. However, similar second and third breaches occurred when one of SCC’s employees erroneously e-mailed the Minutes of a Strategy Discussion to a newsletter distribution group, and a locum family support worker sent a checklist and referral form to the incorrect internal e-mail group.
The Commissioner served a notice indicating that he intended to impose a penalty of £120,000, as he was satisfied that the requirements permitting him to do so had been satisfied.
In calculating the amount of the penalty for the first breach, the Commissioner said that the following aggravating and mitigating factors had been taken into account.
Aggravating factors
· the fact that there had been multiple, similar breaches;
· the number of individuals involved and the number of recipients;
· the data was sensitive, personal and confidential;
· the likelihood of substantial distress to vulnerable data subjects;
· the lack of appropriate IT training and support; and
· the fact that SCC had the resources to pay up to the maximum monetary penalty without causing it undue financial hardship.
Mitigating factors
· Although the attachment was not encrypted, the sensitivity of the data and the e-mail was obvious on its face;
· several attempts were made to prevent further dissemination of the e-mail and attachment;
· the information in the spreadsheet was reduced to the minimum necessary to complete the task;
· a failed attempt to recall the e-mail was made;
· the breach was voluntarily reported to the Commissioner;
· the individuals affected were notified about the breach;
· substantial remedial action had been taken;
· SCC was fully co-operative with the Commissioner’s office; and
· the liability to pay the monetary penalty would fall on the public purse.
Conclusion
The factors that the Commissioner looks at when determining whether to impose a monetary penalty, and how much that penalty should be, are to a large extent dictated by common sense. For instance, although the fact that a breach is inadvertent, rather than deliberate, does not automatically result in a monetary penalty not being levied, it will be a factor that the Commissioner will look at. The Commissioner will also treat multiple breaches as an aggravating factor, particularly if they are similar in nature and lessons have not been learned.
The Commissioner will also look carefully at the steps taken, and the information governance policies put in place by the data controller, both prior to the breach and afterwards. Although under no obligation to report a breach to the Commissioner, rapid notification of the breach to both the Commissioner and those data subjects whose data has been compromised will stand in a data controller’s favour. Co-operation with the Commissioner will always be viewed favourably.
It is interesting to note that the Commissioner has said that he will not seek to cause an organisation excessive financial hardship. Thus, a data controller of an organisation with significant financial resources could potentially be the subject of a higher penalty for the same breach than an organisation with rather less wherewithal. It could also mean that public authorities, who often have greater resources to call on than companies in the private sector, could suffer greater penalties than their private sector counterparts. The case of Andrew Crossley, which arguably involves a greater disregard for the provisions of the Act than some of the other cited examples, demonstrates the fact that the Commissioner will look especially at the impact of a penalty when assessing the amount to be levied. Some may take the view that this could unfairly prejudice both public authorities, and those organisations that have greater resources available to them.
The Commissioner is very keen to emphasise that compliance with data protection law should not be seen as an extra obligation, but should be seen as an integral part of good business practice. All of the above examples include the failure to take steps which most data subjects would regard as basic requirements when processing personal data. Given that breaches can lead not only to monetary penalties, but a significant loss of confidence (both internally and externally) and bad publicity, it is critical that organisations recognise their responsibilities and put in place appropriate procedures to avoid breaches of the Act.
Shelley Thomas is a Partner at Hill Dickinson LLP based in Manchester.
[1]www.ico.gov.uk/for_organisations/guidance_index/data_protection_and_privacy_and_electronic_communications.aspx#monetary
[2]www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/DATA_PROTECTION_REGULATORY_ACTION_POLICY.ashx
[3] Though note the aggravating factor that the laptop remained unencrypted despite that risk assessment having been carried out