Data protection has been a particularly hot topic in the news recently, with an increasing number of stories of lost data and phone hacking. Consequently, the Government is currently consulting on increasing the level of fines to £500,000 and on custodial sentences to prevent future breaches.
Many complaints are directed at public sector bodies. Over the past two years, 818 data security breaches have been reported to the Information Commissioner (IC), of which 240 came from the NHS, 172 from central and local government and 112 from other public bodies. Of the 818 reported breaches, 262 resulted from thefts – often of portable devices.
In January an NHS Trust made a formal commitment to improve data security after an unencrypted laptop containing around 33,000 password-protected patient records was left in a vehicle that was unlocked and unattended. Also in January, a county council was found to be in breach of the Data Protection Act (DPA) after social work records containing sensitive personal data were found in a filing cabinet purchased secondhand by a member of the public.
At present, a breach of the DPA can result in the IC serving an enforcement notice. Failure to take action following the enforcement notice can lead to a £5,000 fine. This is relatively insignificant for large organisations, particularly given the expense of implementing good data protection policies and the training associated with it. Indeed, one serial offender greeted the IC’s investigators with: “What’s the maximum fine for this, £5,000? I’ll write the cheque now.”
Breaching the DPA can lead to significant consequences for those whose data is misused. Following a parking dispute in a supermarket, a police officer passed a pensioner’s address to the other man involved in the dispute. The man went to the pensioner’s house and threw a brick through his window. The pensioner died from the shock of the incident.
On other occasions, organisations, including hospitals and other public sector bodies, have disclosed personal data over the telephone to callers seeking data for criminal purposes, such as stalking.
There are, however, concerns about introducing increased penalties for breaches of the DPA. It is often vital for public sector organisations to be able to share information. There have been a number of high-profile tragedies that have been contributed to by the failure of public sector organisations to pool information.
Fear of breaching the DPA can result in organisations refusing to disclose personal data about individuals. This can have extremely serious consequences for the protection of vulnerable individuals. This is exacerbated by the complexity of the DPA, which creates a lack of confidence among those affected by it.
The consultation on fines closed in December 2009. On 12 January 2010 the Ministry of Justice (MoJ) released its response to the consultation. The MoJ intends to proceed with the proposals and, subject to parliamentary approval, from 6 April 2010 the IC will be able to impose a penalty of up to £500,000 for breaches of the DPA.
Guidance will be issued setting out how this power will be used, the appeal procedures and the level of penalty.
The MoJ also recently consulted on the issue of custodial sentences for the knowing or reckless misuse of personal data.
This consultation relates to offences committed under Section 55 of the DPA, which prohibits the unlawful obtaining of personal data. This includes, for example, the trading of personal information and obtaining information through dishonest means (such as pretending to be someone else to obtain confidential information). While the proposals appear to be primarily intended to address concerns regarding journalists and investigators, employees who have access to personal data also have the potential to breach Section 55 if they misuse their powers.
The MoJ is yet to publish its response to the consultation although many expect the proposals to become law.
Breaches of the DPA can result in fines, adverse publicity and claims from third parties whose data has been lost. Custodial sentences may also be introduced for some breaches.
Reducing the risk
It is profoundly important that public sector bodies have set strategies in place to ensure they comply with rules and provisions set out under the DPA. The key to avoiding substantial fines and even future custodial sentences is to follow some basic steps:
- Ensure that your organisation has a good data protection policy that complies with the data protection principles.
- Operate clear retention and destruction policies for documentation.
- Make sure all public sector employees have basic training in data protection.
- Make sure that all laptops and memory sticks are encrypted.
- Make sure access to sensitive personal data is restricted.
- Ensure laptops and memory sticks do not contain excess data that is not strictly necessary for the work in hand.
- Do not dispose of old computers until the personal information on them has been securely removed.
- Shred all your confidential paper waste.
Tim Smith is a partner and Ella Pirgon is a solicitor at Berrymans Lace Mawer