.jpg)
On 24 November 2010, the UK’s Information Commissioner issued two organisations with substantial fines for serious breaches of the UK Data Protection Act 1998.
Hertfordshire County Council was fined £100,000 for two successive data protection breaches where council employees sent two faxes containing highly sensitive personal information to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner’s Office (ICO). The Commissioner ruled that, after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.
An employment services company, A4e, was also fined £60,000 following the loss of unencrypted laptop containing sensitive personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. The company reported the incident to the ICO, and also notified the people whose data could have been accessed. The Commissioner found that the company had not taken reasonable steps to avoid the loss of the data when it issued the employee with the unencrypted laptop, despite knowing the amount and type of data that would be processed on it.
The Irish Data Protection Commissioner does not have equivalent legal powers to issue large penalties for serious contraventions of the Data Protection Acts. At present only offences under the Data Protection Acts attract financial penalties, the maximum of which is €250,000 (or 10% of turnover if the offender is a body corporate) for offences relating to unsolicited marketing messages.
However, the Report of the Irish Data Protection Review Group, published earlier this year, recommended the introduction of legislation providing for penalties for serious contraventions of the Data Protection Acts.
It will be interesting to see if any new equivalent legislation is introduced here.
.jpg)
A recent judgment delivered in October this year by the English High Court (Technology & Construction Court) in the case of .jpg)
