Corporate |
News |
First ICO monetary penalty
First ICO monetary penalty
24 Nov 2010 - Have you checked your usage policies lately?
The first monetary penalty notice for a serious breach of the Data Protection Act has been served by the Information Commissioner.
Hertfordshire County Council employees faxed highly sensitive personal information to the wrong recipients. The faxed information produced an unencrypted paper copy of data at the destination address, which was likely to cause substantial damage or substantial distress.
The ICO considered Hertfordshire County Council had failed to take reasonable steps to prevent the serious contravention of the Act, despite being aware of the risks.
Grounds for the monetary penalty notice
The relevant provision of the Act is the Seventh Data Protection Principle which provides, at Part I of Schedule 1 to the Act, that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
|
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to -
a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
b) the nature of the data to be protected”.
|
Initial Response
Following the breach all support staff in Hertfordshire County Council Legal Services were reminded of the requirement to use a fax header sheet, which includes instructions on appropriate action for unintended recipients. An instruction was issued by the Chief Legal Officer that no confidential documents should be transmitted by fax without first having been sanctioned by the Assistant Chief Legal Officer or Consultant Solicitor (Practice and Quality Assurance). All staff in Legal Services were instructed to use password protected/encrypted mail as the default option for transmitting confidential data.
Insufficient Action
The Commissioner’s staff were of the view that these actions to prevent and detect further breaches was insufficient. They informed Hertfordshire County Council that the security breach could “happen again tomorrow”.
This is exactly what happened two weeks later, although as a result of the tightened procedures a fax header sheet was used on that occasion.
Further remedial action taken
Other measures that are being taken within Hertfordshire County Council Legal Services include:
- Introduction of a fax usage policy;
- Implementation of a ‘phone ahead’ & ‘confirmation of receipt of fax’ process;
- Nomination of officers authorised to send faxes via a clearance/sign off process through qualified lawyers;
- Establishing a record of faxes sent/confirmation received.
- Audit of preset fax numbers
- Work on the implementation of secure email/electronic communication facilities within the department.
NETconsent View *
This incident reveals how human error remains the biggest risk organisations must address in order to protect confidential information. Whether the underlying cause of this blunder was employee ignorance, indifference or a casual disregard for protocol, one thing is clear - policy compliance needs to move higher up the security agenda.
Organisations that do not regularly maintain, communicate and enforce appropriate policies and procedures not only risk financial penalties from regulatory authorities, but remedial action and reputational damage could run into thousands, if not millions.
Technological advancements mean that there is a robust, efficient and inexpensive approach for informing staff properly of the policies and procedures, which govern working practices within an organisation. Creating and enforcing an organisational culture that takes security seriously shows a commitment to good IT governance.
NETconsent provides the means to:
- Deliver pro-active prompts to ensure users read policies;
- Ensure employees sign up to policies in sensible timescales;
- Test employee understanding of policies;
- Remind workers of their responsibilities on a regular basis;
- Generate management reports on policy compliance.
NETconsent also handles procedures, forms, e-learning modules and other associated policy documentation within the system.
Hertfordshire County Council is the first organisation to receive a monetary penalty notice. Fax transmission is hardly cutting edge technology, but a switch to secure email transmission will still be prone to human error. Established and new processes need regular review, updating and communication to staff to keep security at the forefront of employees who, after all, are just trying to do their jobs well.
Dominic Saunders, Operations Director at NETconsent advises “Organisations should heed this warning and not only review their policies and procedures for sending faxes, but initiate reviews of how effective all policies are.”
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Data Protection Act. This first penalty notice is likely to set a precedent by which future notices will be judged.
Full details of the Data Protection Act 1998 Monetary Penalty Notice issued to Hertfordshire County Council on 22 November 2010.
Further Resources
Privacy Dividend
The business case for investing in proactive privacy protection.
ICO Privacy Failure Costs Calculation Sheet
ICO calculation sheet to help organisations estimate the direct costs they might experience due to privacy failures.
ICO Privacy Protection Benefits Calculation Sheet
ICO calculation sheet to help organisations estimate the magnitude of the benefits they might expect to see.
ICO Mandates for Privacy Protection
Review the mandates for privacy protection in the organisation using the ICO table as an initial guide.