Compare and contrast the following recent data protection cases:
1. HSBC: fined, after discount, over £3m by the FSA.
2. Ian Kerr: prosecuted and fined £5,000.
3. Highland Council: asked to give undertaking to get its laptops encrypted.
The HSBC case highlights yet again the lack of enforcement powers given to the Information Commissioner under the Data Protection Act 1998. It also highlights the lack of regulatory powers the ICO has to set data protection rules. After all, HSBC was fined by the FSA for breach of FSA rules, not for breach of any legislation.
This is demonstrated in the Ian Kerr case. Although this involved systematic and blatant breaches of the data protection principles, including in respect of the processing of sensitive personal data (trade union membership), the prosecution was for the offence of not being notified to the Information Commissioner. However, a fine at the top of the scale was imposed by the court.
When no statutory offences have been committed, the Information Commissioner must fall back on the enforcement notice powers and the more recent innovation of getting data controllers to volunteer undertakings rather than be made the subject of an enforcement notice, as shown by Highland Council.
The Highland Council case on the face of its facts may be argued to be a little harsh. It concerned the theft of 2 password-protected laptops from a locked office. The laptops had personal data for over 1,400 individuals, including sensitive personal data (medical information). The key point, however, is that the laptops were unencrypted. This is yet another reminder that no-one using unencrypted laptops for personal data should expect any leniency from the Information Commissioner if they go missing.