Briefing on the power of the ICO to serve civil monetary penalties (CMP's) on data controllers

Posted on
Under Section 55A of the Data Protection Act (DPA) the Information Commissioner has powers to impose civil monetary penalties (CMP) of up to £500,000 on organisations that are responsible for serious breaches of data protection rules.

Since the introduction of CMPs in April 2010 the ICO has imposed financial penalties ranging between £60,000-£325,000 and totally more than £1.5 million, on a range of organisations, most notably local authorities and NHS bodies. To date, the ICO has dealt with data protection breaches committed by Registered Social Housing Providers (RSHP) by requiring them to give undertakings to correct shortcomings and improve compliance rather than by imposing CMPs.

Details of CMPs imposed by the ICO to date indicate, however, that it is advisable for all organisations with responsibility for handling sensitive personal information to keep their data security and data handling arrangements under continual review in order to minimise the likelihood of the kind of data protection breaches that can give rise to significant financial penalties.

CMPs may be issued in respect of a serious contravention of any of the data protection principles which is of a kind likely to cause substantial damage or substantial distress which is deliberate or which was obviously likely to occur and which the organisation failed to take reasonable steps to prevent. As the cases below illustrate, relatively simple administrative errors can readily give rise to these kinds of breaches, particularly where particularly sensitive personal data is involved and where there has been a failure to take proportionate steps to protect the information from loss or unauthorised access. 

Recent CMPs served on data controllers

Most recently, the Belfast Health and Social Care (BHSC) Trust was served with a CMP of £225,000 on the 13th of June 2012.  A merger of six local Trusts formed the BHSC Trust in 2007, resulting in the Trust taking on 50 largely disused sites containing confidential and sensitive personal data of thousands of patients and staff.  The ICO investigation concluded that the Trust had failed to take appropriate action to keep the information contained within those disused sites secure and to securely destroy medical documents which it no longer required. 

Other NHS Trusts have also been served with CMPs, for example:

  • Brighton and Sussex University Hospitals NHS Trust was served with a CMP of £325,000 on the 28th of May 2012 following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff on hard drives sold on an Internet auction site.
  • The Aneurin Bevan Health Board was served with a CMP of £70,000 on the 24th of April 2012 when a sensitive report – containing explicit details relating to a patient’s health – was e-mailed to the wrong person as a consequence of the doctor misspelling the name of the patient and the consultant not providing enough information for the secretary to identify the correct patient. 

Councils and private companies have been similarly served with CMPs for serious contraventions of the DPA, for example:

  • Cheshire East Council was served with a CMP of £80,000 on the 8th of February 2012 when an e-mail containing a police force’s concerns about an individual working in the area was sent without clear markings or advice on how it was to be treated, and was subsequently sent to 180 unintended recipients.  
  •  Employment services company A4e Limited was served with a CMP of £60,000 on the 22nd of November 2010 for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres inHull andLeicester. 

Of particular relevance to housing associations are those CMPs imposed in relation to remote working and sub-contractors:

  • The London Borough of Croydon Council was served with a CMP of £100,000 on the 6th of February 2012 after a social worker who had taken work home for a meeting the following day had his bag stolen from a pub.  It was noted that social workers had not received any data protection security training despite the fact that there was a recognised business need for social workers to take confidential and sensitive data home; it was insufficient that social workers had been directed to the data protection policies on the council’s intranet and to leave the onus on them to read and understand those policies. 
  • Ealing Council operated an out-of-hours service on behalf of Hounslow Council.    The staff providing the service worked from home between 5pm and 9am.  A laptop issued by Ealing Council and a personal laptop were stolen from an employee’s home; the laptops contained sensitive personal data relating to both Councils’ clients and neither were encrypted.  Hounslow Council was served with a CMP of £70,000 on the 4th of February 2011 on the grounds that it should have had a contract in place with Ealing Council monitoring the means by which its personal data was processed and ensuring compliance with the obligations imposed on a data controller by the DPA.  Such a contract would have recognised the risk of laptops being stolen where a significant amount of home working is carried out and required those laptops to be encrypted. 

Advice to data controllers on preventing a serious contravention of the DPA

The ICO has re-affirmed in each instance where it has served a CMP that in order to prevent a serious contravention of the DPA justifying a significant CMP, a data controller should ensure that it has the following in place:

  • Updated data protection policies combined with appropriate and regular monitoring of compliance with those policies;
  • Secure methods of keeping and disposing of personal data;
  • Staff training on the organisation’s policies on storage and use of personal data; and
  • Adequate checking processes in place to ensure that personal data sent by various means of communication is sent to the correct person(s).