ICO hits Ealing and Hounslow councils with £150,000 fines for laptop theft

The ICO said the loss represents a serious breach of the Data Protection Act. Since April 2010, the ICO can levy penalties up to £500,000 for such breaches.

Ealing Council provides an after-hours service for both councils, operated by nine staff members who work from home.

The two laptops - containing the details of around 1700 people - were stolen from an employee's home.

Almost 1000 of these people were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password-protected but were not encrypted, as required by both councils' policies.

The ICO said the breach was a significant risk to the clients' privacy, although no clients had complained and there was no evidence the data had been accessed.

The penalty for Ealing Council was set at £80,000. Hounslow Council's penalty was set at £70,000.

Ealing Council breached the Data Protection Act (DPA) by issuing an unencrypted laptop to a member of staff in breach of its own policies, the ICO said.

This method of working has been in place for several years and there were insufficient checks that policies were being followed or understood by staff, the ICO found.

Hounslow Council breached the DPA by failing to sign a written contract with Ealing Council. Hounslow Council also failed to monitor procedures for operating the service securely.

Deputy commissioner David Smith said, of the four monetary penalties served so far, three concern the loss of unencrypted laptops.

"Where personal information is involved, password protection for portable devices is simply not enough," David Smith said.

He said the higher penalty for Hounslow Council was aimed at making clear that an organisation can not hand over to somebody else the handling of personal information, for which it is responsible, unless they ensure the information is properly protected.

Following the incident, both councils contacted affected individuals. Both authorities have also put significantly improved policies in place for information security and have agreed to consider an audit by the ICO, he said.
 

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?