First fines issued over data protection breaches

A council was fined £100,000 by the privacy watchdog today for accidentally faxing highly sensitive information about cases involving child sex abuse and care proceedings to the wrong recipients on two occasions in the space of two weeks.

The Information Commissioner served the monetary penalty on Hertfordshire County Council for serious breaches of the Data Protection Act.

A separate fine of £60,000 was also imposed on employment services company A4e over the theft of a laptop containing personal information about 24,000 people who had used community legal advice centres in Hull and Leicester.

Hertfordshire County Council reported the breaches - which occurred in June when staff from the council's childcare litigation unit sent two faxes to the wrong recipients on two separate occasions - to the Information Commissioner's office.

After the first misdirected fax, which was meant for barristers' chambers, was sent to a member of the public, the council obtained a court injunction prohibiting disclosure of the details.

The second fax, sent 13 days later by a different employee, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions.

Instead of going to Watford County Court, it was mistakenly sent to a barristers' chambers unconnected with the case.

In the A4e case, which also happened in June, the firm was punished for issuing an unencrypted laptop containing sensitive personal information including names, dates of birth, postcodes, income level and details of alleged criminal activity to an employee working from home in London, which was subsequently stolen.

As well as reporting the incident to the ICO, the company notified the people whose data could have been accessed.

Information Commissioner Christopher Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case.

"I am concerned at this breach - not least because the local authority allowed it to happen twice within two weeks.

"The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data."

A spokesman for Hertfordshire County Council said: "We are sorry that these mistakes happened and have put processes in place to try to prevent any recurrence.

"We accept the findings of the Commissioner."

A4e chief executive Andrew Dutton said: "We fully accept today's judgment and will continue to co-operate with the ICO.

"We acted very swiftly after the incident in June, including making a voluntary report to the ICO. We alerted all customers, partners and relevant authorities affected and continue to update them.

"This incident occurred as a result of a breach of our security procedures. It also came at time when A4e was rolling out a new, robust, company-wide set of security controls and procedures.

"Our priority has always been, and remains, our customers and partners.

"We have apologised for any distress caused to those involved in this one-off incident in Hull and Leicester and we do so again today."