Employment news October 2016

Print publication


Data Protection – fines for failing to keep personal information secure

The Information Commissioner (ICO) has the power to fine Data Controllers who fail to keep personal information secure up to £500,000. The ICO regularly uses this power and in the financial year 2015/16 fines totalling £2m were issued.

Examples of fines issued by the ICO for serious data protection breaches in August 2016 include:

  • Hampshire County Council fined £100,000 after leaving bin bags full of documents containing personal data and confidential waste unsecured in a decommissioned building that was up for sale (and open for viewing) for a period of two years. The data breach was reported by the eventual new occupier of the property.
  • A nursing home fined £15,000 after an employee took a work laptop home and it was later stolen. The laptop contained unencrypted personal data relating to both staff and residents. The ICO held that the employer had failed to implement any policies on homeworking, use of mobile devices, encryption of sensitive data or, indeed, to provide data security training to staff. It stated that had the nursing home been a larger organisation it would have received a much larger fine.
  • A medical practice fined £40,000 after releasing medical records about a patient to her estranged ex-husband after he made a subject access request for data about their son. The practice failed to blank out the information about the patient before disclosing the records. Again, the ICO warned that a larger organisation would have received a much larger fine for this very serious breach.

The recipients of fines are publicly listed on the ICO website so the potential for reputational damage in addition to a fine is significant.

Employers should:

  • Ensure data protection policies and procedures are up to date and audited on a regular basis.
  • Ask the questions, ‘How seriously do we take data protection?’ and ‘How do we evidence this?’
  • Implement and monitor policies on home-working and use of mobile devices away from the office. How secure is personal data if mobile devices are lost or stolen?
  • Provide regular data security training to staff including during induction procedures.