To fine, or not to fine: that is the question

Compare and contrast the following recent data protection cases:

1.  HSBC: fined, after discount, over £3m by the FSA.

2.  Ian Kerr: prosecuted and fined £5,000.

3. Highland Council: asked to give undertaking to get its laptops encrypted.

The HSBC case highlights yet again the lack of enforcement powers given to the Information Commissioner under the Data Protection Act 1998.  It also highlights the lack of regulatory powers the ICO has to set data protection rules.  After all, HSBC was fined by the FSA for breach of FSA rules, not for breach of any legislation.

This is demonstrated in the Ian Kerr case.  Although this involved systematic and blatant breaches of the data protection principles, including in respect of the processing of sensitive personal data (trade union membership), the prosecution was for the offence of not being notified to the Information Commissioner.  However, a fine at the top of the scale was imposed by the court.

When no statutory offences have been committed, the Information Commissioner must fall back on the enforcement notice powers and the more recent innovation of getting data controllers to volunteer undertakings rather than be made the subject of an enforcement notice, as shown by Highland Council

The Highland Council case on the face of its facts may be argued to be a little harsh.  It concerned the theft of 2 password-protected laptops from a locked office.  The laptops had personal data for over 1,400 individuals, including sensitive personal data (medical information).  The key point, however, is that the laptops were unencrypted.  This is yet another reminder that no-one using unencrypted laptops for personal data should expect any leniency from the Information Commissioner if they go missing.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s