Subscribe to Secure Data in Motion via E-mail

Your email:

Secure Data in Motion: iSEEU

Secure Data in Motion with iSEEU Global

The iSEEU blog is concerned with all aspects of secure data in motion including information governance, data breach, data protection and secure collaboration tools.

Latest Posts

Follow iSEEU

iSEEU Blog: Secure data in motion

Current Articles | RSS Feed RSS Feed

The ICO and data protection enforcement: 2011 in review

Posted on Tue, Jan 17, 2012
  
  
  
  

Data Protection Enforcement - the ICO in 2011Data breaches and data protection stories were never far from the headlines in 2011. The recent blog post from Sir Christopher Graham, the Information Commissioner, suggests that actions will continue to grow in 2012. 

The ICO has a range of tools available to use against organisations that collect, use and keep personal information. Most often, a fine rather than custodial action is the outcome. However, last year a Parliamentary working group called for the use of custodial sentences in serious cases of data breach.

What data protection enforcement action can the ICO take?

The options open to the ICO are as follows:

  • serve information notices on organisations requiring specific information,
  • require an organisation to improve its compliance by issuing specific undertakings,
  • serves enforcement notices to ensure an organisation that has suffered a breach complies with the law,
  • conduct audits to check compliance within an organisation,
  • conduct audits to assess whether an organisation follows good practice in data protection enforcement,
  • issue monetary penalties up to £500,000 for serious breaches of the Data Protection Act (occuring on or after 6 April 2010),
  • prosecution of those who commit criminal offences under the Data Protection Act, and
  • report to Parliament on data protection issues that are of concern.

Prosecutions in 2011

In 2011, there were 5 prosecutions under the Data Protection Act. All related to individuals who has obtained personal details through their employment either for personal information or for personal gain. Interestingly, prosecutions weren't made against individuals in respect of their responsibility for data protection enforcement.

Monetary penalties in 2011

There were 7 fines issued in relation to data protection enforcement during 2011. The majority related to local authorities though one was a private sector case. The level of fine ranged from £1,000 to £130,000.

The smallest of the fines was in the private sector where a law firm (ACS Law) failed to keep safe the sensitive personal information of around 6,000 people.

Misdirected data was the cause of most fines

The public sector cases tended to relate to situations where an individual had posted or, more often, emailed sensitive information to the wrong recipients, exposing sensitive personal data. The largest fine was issued to Powys County Council where details of a child protection case were sent to the wrong recipient (£130,000). Surrey County Council was fined after an incident where a staff member emailed sensitive personal data to the wrong recipients of three separate occasions.

It seems that email, often seen as quick, reliable and secure delivery method, is the source of many data protection enforcement challenges for public bodies. The speed and ease of use is obviously attractive but organisations need to consider the risks and consequences of a data breach and look at solutions that combine control, audit, security and ease-of-use.

If you'd like to learn more about ISEEU's suite of data security tools, contact us now.

 

[image credit: www.ico.gov.uk]

Tags: , ,

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics