On 24 November the Information Commissioner served two organisations with the first monetary penalty notices for serious breaches of the Data Protection Act. The Information Commissioner's Office ("ICO") has had the power to issue fines of up to £500,000 for such breaches since 6 April 2010.

The ICO has already made it clear that these first penalty notices are "likely to set a precedent by which future notices will be judged". As such, organisations should evaluate their own technical and organisational procedures, and if necessary take steps to avoid similar breaches.

Hertfordshire County Council was one of the organisations to receive a monetary penalty notice. The fine was for £100,000 in respect of two breaches that happened in June this year. The breaches resulted from the Council's childcare litigation unit sending two faxes to the wrong recipients on two separate occasions within a two week period. The faxes contained information relating to a child abuse case and care proceedings.

The ICO served a monetary penalty on the basis that the Council had failed to prevent two serious breaches of the Data Protection Act where the disclosure of information risked causing substantial damage and distress.

Christopher Graham, the Information Commissioner, said:

"It is difficult to imagine information more sensitive than that relating to a child sex abuse case".

The second organisation to be served with a fine was employment services company A4e. A4e were fined £60,000 when an unencrypted laptop that had been provided to an employee was stolen from the employee's home in a burglary. The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Leicester and Hull.

The information that was lost included names, dates of birth, postcodes, employment details, income levels, information about alleged crimes and details of whether individuals had been victims of violence. Some of the information was coded, but the key to the codes was set out in a separate document stored on the same laptop.

A monetary penalty was considered to be appropriate because A4e had issued an employee with a laptop containing large amounts of unencrypted information, despite being aware of the personal nature of that information, and because access to that information could have caused substantial distress. It was also relevant that A4e had failed to provide the employee with a lock to secure the laptop at home.

Organisations should be aware that the ICO's policy is to take enforcement action where laptops containing personal data do not have adequate protection and are lost or stolen. Whilst the financial consequences of receiving a monetary penalty notice will be of concern, in many cases it is reputational damage that will be the most severe consequence.

If you require any further information about this matter or advice on any other data protection issues, please contact us on the details provided below.

This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq

Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.

The original publication date for this article was 29/11/2010.