ICO started applying fines for Data Protection Act breaches

By EDRi · December 1, 2010

This article is also available in:
Deutsch: [ICO verhängt erste Strafen für Datenschutz-Verstöße | http://www.unwatched.org/node/2395]

After having received increased powers in April 2010, the UK Data protection
authority (Information Commissioner Office – ICO) has recently used these
powers to fine an organisation and a local authority for having breached the
Data Protection Act.

Hertfordshire County Council has been fined with about 120 000 Euro for the
fact that its employees sent highly sensitive information by fax to the
wrong recipients twice, once in June to a member of the public instead of a
barrister and the second time, 13 days later, to the office of an
unconnected barrister instead of the Watford County Court.

“The Commissioner ruled that a monetary penalty of 100,000 pounds was
appropriate, given that the Council’s procedures failed to stop two serious
breaches taking place where access to the data could have caused substantial
damage and distress,” was the ICO’s statement. The Commissioner considered
that the council did not take the necessary measures to reduce the risk of
another incident, after the first one.

Employment services company A4e was also fined with about 72 000 Euro for
having given a laptop with the unencrypted personal information of 24 000
people to an employee to take home. The laptop was stolen from the
employee’s home and there was an unsuccessful attempt to access the
information. The information included individuals’ names, dates of birth,
postcodes, employment status, income level, information about alleged
criminal activity and whether an individual had been a victim of violence.

ICO is also concerned about Google’s collection of personal data with its
Street View vehicles. Initially, ICO considered it was unlikely that Google
had gathered too much information through its service but after it was
revealed that the company had gathered entire emails, user names and
passwords by mistake, ICO decided to make an audit of “Google’s internal
privacy structure, privacy training programs and its system of privacy
reviews for new products.”

“It is a significant achievement to have an undertaking from a major
multinational corporation like Google Inc. that extends to its global
policies and not just its UK activities. We will be keeping a close watch on
the progress Google makes and will follow up with an extensive audit,”
stated The Information Commissioner Christopher Graham.

Others are sceptic regarding ICO’s influence on Google. “The Information
Commissioner is ineffective and is widely held in contempt,” said Ross
Anderson, a professor of computer science at Cambridge University who
believes that the Information Commissioner is not feared by the companies he
is supposed to regulate.” Mr. Anderson places more hope in the German
authorities which, in his opinion, ” will have much more influence, and
indeed Google now does its privacy research in Munich. (…) They know that
if they can sell their privacy policies there, they will work everywhere
else.”

ICO issues first ever data protection fines (24.11.2010)
http://www.out-law.com//default.aspx?page=11569

Google allows ICO to check privacy practices (22.11.2010)
http://www.out-law.com//default.aspx?page=11563

Google’s agreement to delete British WiFi data does not impress experts
(22.11.2010)
http://www.dw-world.de/dw/article/0,,6256109,00.html

EDRi-gram: Google admits it was gathering passwords and emails via
StreetView (3.11.2010)
http://www.edri.org/edrigram/number8.21/street-view-collects-emails