The Information Commissioner’s Office (ICO) has just issued two more fines for breaches of the DPA. Ealing and Hounslow councils are, between them, paying £150,000 (of money they probably don’t have to spare) for the theft of just two laptops from an employee’s home!
There are three key learning points from this most recent set of fines:
- Laptops must be encrypted – the ICO said: “Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.” Our free Technical Briefing Paper describes clearly what has to be done to encrypt laptops and portable devices.
- You cannot hand your data protection responsibilities over to a third party – you must have a clear contract in place, with the right of audit, and you must take action to ensure that your third party contractor complies with its responsibilities. The ICO said: “The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else, unless they ensure that the information is properly protected.”
- Lax data protection practices will lead to fines – The ICO’s statement concluded with this warning: “Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way.”
And the fines are just the monetary tip of the iceberg: before the fine is even issued, there is an investigation to endure, there is highly damaging PR and you still end up having to comply with the DPA anyway. So the sensible thing is to comply in advance of a breach – because, sooner or later, every organisation has a breach.
The process of becoming compliant is straightforward: carry out a gap analysis to identify where your actual practices are deficient against the requirements of the DPA, create an action plan to close the gap, and execute that plan.
This unique toolkit contains the document templates and tools that are essential for any UK data controller (and UK organisation that is responsible for personal information) seeking compliance with the UK Data Protection Act 1998.