This article, which is relevant to the employer, appears in our new edition of IBrief. IBrief reports on legal issues relating to data protection and freedom of information and is due to come out in March 2012.
Since 6 April 2010 the Information Commissioner (IC) was given the power to serve financial penalties (up to a maximum of £500,000) on organisations for serious breaches of the Data Protection Act 1998 (DPA).
Before the IC issues a penalty notice it must be satisfied that the contravention was serious and was of a kind likely to cause substantial damage or substantial distress, and that the data controller either:
• Deliberately contravened the DPA 1998.
• Knew or ought to have known that there was a risk the contravention would occur, and that it would be likely to cause substantial damage or distress, but still failed to take reasonable steps to prevent it from happening.
Cases involving the deliberate contravention of the DPA are relatively rare and the majority of cases which the IC investigate relate to an organisations failure to identify risks associated with handling personal data.
Levels of fines
Over the past two years the IC has fined various organisations for failing to identify the risk of handling personal data:-
• a local authority was fined £100,000 when a bag containing papers relating to a child sex abuse case was stolen from a pub.
• a county council was fined £80,000 for disclosing allegations against a parent and the welfare of their child to the wrong recipient.
• a county council was fined £80,000 for failing to take appropriate measures when emailing another organisation of their concerns with an individual working in the local area. The information contained details of his alias and concerns by the police and was subsequently forwarded to a further 100 recipients who forwarded the email again to another 180 recipients.
• a county council was fined £140,000 for disclosing sensitive personal data relating to children to the wrong recipients on five separate occasions
Even the legal profession are capable of falling foul of the DPA. In 2009 a QC’s laptop containing information about an individual’s physical and mental health was stolen. Although the QC had some security measures in place the laptop and the information was not encrypted. The individual concerned escaped a fine from the IC as the incident took place prior to 6 April 2010.
Investigations by the IC
Although the IC accepts that sometimes there will be instances, such as theft, where the loss of personal information is outside the control of the individual handling the data, the IC will expect all organisations to take reasonable steps to prevent the DPA from being breached. Before the IC serves a financial penalty on an organisation it will carry out an investigation to assess whether the organisation has appropriate procedures in place.
The IC will assess whether the organisation has:-
• A data protection policy/guidance for its’ employees
• Whether the policy is adequate
• Whether that policy has been communicated to all staff
• Whether the organisation has monitored whether the policy has been read and understood by employees
In the above cases the IC identified a number of areas where the organisations failed to have measures in place that may have prevented the loss of personal data such as, employees not completing the mandatory data protection training, failing to encrypt data, the data protection policy not actively communicated to staff and inadequate security measures for taking personal data off the office premises. The organisations may have been able to reduce or even avoid the fine from the IC if it had appropriate measures in place.
You should review your data protection policies to ensure that they are adequate. In particular organisations within the care sector that handle sensitive personal information such as mental and physical health records of their clients must ensure that it has adequate procedures in place in connection with the handling of the information on and off the premises.
One way of ensuring that all staff are aware of the organisations data protection policy is to incorporate data protection training as part of their induction. You may also wish to consider holding a simple assessment after the induction so you are able to demonstrate to the IC that a particular employee is aware of its policies and has also understood them.
All organisations will at one stage or another mishandle personal data through no fault of their own. However, what is important is the ability to demonstrate to the IC that your staff are fully aware of the risks associated with handling personal data and that your organisation has in place sufficient safeguards to prevent any mishandling; as the recent decisions from the IC office has shown, failure to do so can be costly.