Recent action taken by the Information Commissioner's Office ("ICO") continues to highlight the importance of ensuring businesses and public bodies have robust security in place, particularly when it comes to the use of laptops, memory sticks and emails. Breaches may have severe consequences.

Since 6 April 2010, the ICO has had the power to issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the data protection principles under Data Protection Act 1998 (the "DPA"), where the breach was of a kind likely to cause substantial damage or distress and either the contravention was deliberate or the data controller ought to have known the risk of contravention likely to have those effects but failed to take reasonable steps to prevent it. In February this year, the ICO fined the Councils of Ealing and Hounslow £80,000 and £70,000 respectively, in connection with the theft of two laptops from an employee's home. The laptops contained details of around 1,700 individuals. There was no evidence to suggest the data held on the computers had been accessed and no complaints had been received to date but there was significant risk to the individuals' privacy. The data on the laptops were password protected but were unencrypted, in breach of the Councils' own policies. This brings the number of cases of monetary penalties to four, three of which relate to unencrypted data on laptops. Deputy Commissioner David Smith commented "where personal information is involved, password protection for portable devices is simply not enough". This is a clear message from the ICO, that such practices will not be tolerated and firm action will be taken.

The use of undertakings continues to be an important tool available to the ICO. February saw six such undertakings, two of which related to the loss or theft of unencrypted data on laptops and a memory stick. Similarly, Gwent Police was found to have breached the DPA when an email containing a spreadsheet of the results of around 10,000 Criminal Records Bureau enquiries was mistakenly sent to a website journalist. A staff member at Gwent Police inadvertently copied the wrong person into the email. This was a breach of the force's IT security policies.

Establishing a Data Protection Security Policy is only the first step in the compliance chain. Effective implementation, training, regular monitoring and auditing are vital to ensure breaches of the kind described above do not occur. The ICO is clearly willing and able to take action and organisations processing personal data would be wise to take on board the trend in enforcement action.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.