The ICO has only recently acquired powers to audit and fine organisations, and the two may not be entirely independent of each other. During the audit process, the ICO can enter your premises, access your information, documents and equipment, observe how data is processed and interview your staff. Although the ICO has said that it will not levy fines in respect of anything they discover to be lacking during the audit process, that organisation may then become part of a group more likely to have fines levied in the future.
The ICO can issue a fine where there has been a serious breach
of the data protection principles as outlined in the Data
Protection Act 2000, where that breach is of a kind likely to cause
substantial damage or distress and where the breach was deliberate
or reckless and no reasonable steps were taken to prevent it.
The ICO's first two fines show what constitutes unacceptable
behaviour.
Firstly, in a case against Hertfordshire County Council (fined
£100,000), the Commissioner made it clear that he will not
condone reckless behaviour when sending faxes. One should phone
ahead to confirm a fax number and ask that someone stand by in
expectation of the fax, and afterwards the sender should telephone
again to confirm safe receipt, particularly where the contents of
the fax are sensitive.
Secondly, following the case of A4e (fined £60,000), the ICO
has said that if you put personal data (as defined by the Data
Protection Act 1998) on an unencrypted laptop and then lose that
laptop (whether it is misplaced or stolen), then enforcement action
will follow. While the ICO also criticized the home-worker's
actions in A4e for not following their company IT policy, he
considered that as a matter of course when there is the potential
for an employee using a company laptop to process personal data on
it, the laptop must not be issued unencrypted.
There are several ways to prepare an organisation for a potential
audit in order to ensure that you are less vulnerable:
- Carry out a data protection compliance audit to establish what relevant personal data your organisation holds, who has access to it, where it is held and how it is processed.
- Regularly question whether data needs to be kept or whether it is out of date and needs to be securely destroyed, whether it needs to be consolidated into one hub and whether access to it should be restricted by password or other security feature.
- Document the fact that your organisation has carried out an audit, and action the recommendations which stem from it.
- Ensure that staff are trained on your organisation's policies regarding data protection, that there is regular monitoring and that contractors coming into your organisation also comply with your standards.
This groundwork should help avoid the highly public and expensive mistakes made by A4e and Hertfordshire County Council.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
