The Information Commissioner has issued fines against both Ealing and Hounslow Councils after finding them culpable of serious breaches of the Data Protection Act. The breaches relate to the same incident in which laptops containing sensitive personal data on individuals from the Councils were stolen from an employee’s home
The Commissioner was given the power to impose fines of up to £500,000 for serious breaches of the Act in April 2010. Whilst the use of such fines remains a rarity, this latest action by the Commission is a reminder of the risks should a controller fail to adhere to the data protection principles set out in the Act. The decisions also serve to demonstrate that public authorities are unable to hide behind arguments over budgetary constraints or reputational issues to avoid sanction by the Commissioner.
Following the Commissioner’s action, data controllers should have regard to the following when handling personal data on portable devices:
- Use data encryption - Password protection alone is not sufficient. Encryption software should be used as standard.
- Use security devices - In this incident, the Commissioner noted that the laptops could have been protected with a physical security device, such as a Kensington lock.
- Delete personal data when it is no longer required - The Commissioner punished both Councils after finding that ‘excessive personal data’ had been held on the laptops for longer than was necessary.
- Implement appropriate internal procedures - A clear security policy should be put in place, along with a procedure for checking compliance by employees.
- When outsourcing personal data, get a written contract - The contract should set out specific security obligations, in line with the data protection principles set out in the Act.
- If a portable device is stolen:
o Find it - The Councils have been unable to locate the stolen laptops, which the Commissioner found to be an aggravating factor in its decision. Laptop tracking software can be installed for a relatively inexpensive subscription fee.
o Consider informing data subjects - For breaches affecting a large number of individuals, data controllers should also consider setting up a dedicated helpline.
o Cooperate with the Commissioner - It was noted that, in both cases, the Councils had voluntarily reported the breaches to the Commissioner and had followed advice to prevent similar incidents occurring in the future.
Ealing Council operated an ‘out-of-hours’ service to field calls made to its switchboard between 5pm and 9am. The service was run by a team of nine employees who worked from home. When a call was received by the switchboard, the switchboard contacted a team member should any further action be required.
The team worked from laptops issued by Ealing Council. Whilst access to Ealing Council’s central database was limited during the out-of-hours service, the team were able to work from past and current records stored on their laptops. Any records updated by the team were later transferred to the central database, though they were also retained on the laptops.
As well as handling requests made to the Ealing Council switchboard, the team operated a similar out-of-hours service for Hounslow Council. The team did not have access to the Hounslow Council central database and used past and current records stored on their laptops when actioning requests. The team would then issue a referral form to Hounslow Council to detail the action that they had taken.
Ealing Council issued one of its out-of-hours employees with a laptop to use when actioning requests in 2006. The laptop was subsequently stolen from the employee’s home, along with the employee’s personal laptop in what the Commissioner recognised as an ‘opportunistic’, rather than targeted, theft. At the time they were taken, the laptops held records relating to 958 individuals from Ealing and 698 from Hounslow. The records contained personal data (some sensitive), such as names, date of birth, gender, ethnicity, first language, address and telephone contacts, as well as information about the individual’s dealings with their Council.
The Commissioner found that whilst the data was protected by password, it was not encrypted. The Councils are yet to receive any complaints from the individuals concerned, though the laptops are yet to be recovered.
The Commissioner found Ealing Council to be in breach of the Act for failure to take appropriate technical and organisational measures against the accidental loss of personal data. The Commissioner’s decision lists a number of failings on the part of the Council including the failure to encrypt data, the lack of a security device on the laptops, the fact that risk assessments for working out-of-hours had not been put in place and that there appeared to be no procedure for monitoring staff working from home.
Ealing Council were able to demonstrate that a ‘Removable Media Policy’ had been put in place at the time of the loss, which contained the requirement that all removable media containing personal data mush be encrypted. However, this initiative had not been extended to the out-of-hours service team and the Commissioner found that the Council had effectively breached its own risk assessments. Significantly, the Commissioner found that the fact that a Removable Media Policy had been introduced demonstrated that Ealing Council were fully aware of the risks of a security breach.
In assessing the stolen data, the Commissioner found that its content meant that it could be used to perpetrate identity fraud or cause damage to the personal reputations of the individuals concerned and as such, its loss was likely to cause substantial damage or distress. This was said to be aggravated further by the fact that the laptops have not been recovered.
As well as a failure to safeguard the laptops against theft, the Commissioner also found that irrelevant and excessive data was retained on the laptops for longer than was necessary. It was noted that following the incident, Ealing Council has taken a number of steps to remedy the breach, including:
- Informing the individuals concerned that their data has been stolen;
- Setting up a helpline to assist and provide information to those individuals;
- Embedding encryption across all of its portable devices;
- Issuing a new ‘Information Protection Policy’ and revising its ‘Removable Media Policy’;
- Disseminating its policies on data protection via the intranet and in team and one-to-one meetings;
- Implementing checks to ensure that procedures are complied with;
- Deploying software to detect unencrypted devices; and
- Considering an audit by the Commissioner’s Office.
The Commissioner issued Ealing Council with an £80,000 fine, to be reduced to £64,000 if full payment is received before 7 March 2011. Ealing Council has until 8 March 2011 to appeal the decision.
The Commissioner found Hounslow Council had committed a serious contravention of the Act by failing to choose a data processor that provided sufficient guarantees over technical and organisational security measures when processing data. It was noted that there had previously been a written contract between Hounslow and Ealing Council covering the out-of-hours service, but this agreement had expired in 2009 and (in any event) did not contain any requirements relating to the security of personal data.
Furthermore, the Commissioner found that Hounslow Council had failed to monitor Ealing Council’s compliance with the Act and were unaware of how the out-of-hours team were processing data. Prior to the laptops being stolen, Hounslow Council had no security policy in place and the only reference that it had to data protection was in the form of a high-level list of ‘Do’s and Don’ts’.
After the data was stolen, Hounslow Council took the following steps:
- Informing individuals who had been affected by the breach;
- Entering into a Memorandum of Agreement with Ealing Council, covering data security, compliance with the Act and providing for regular auditing and compliance statements; and
- Considering an audit by the Commissioner.
In making its decision, the Commissioner had regard to the fact that the contravention was exacerbated by circumstances outside of the direct control of Hounslow Council (i.e. the data was stolen from an Ealing Council employee). However, the Commissioner found it appropriate to impose a fine of £70,000, to be reduced to £56,000 should the sum be paid in full before 7 March 2011.