The ICO has flexed its muscles against Surrey Council and imposed a £120,000 fine for breaching the Data Protection Act. While this falls well short of the maximum allowed in law (£500,000) it is larger than most of the recent fines issued.
The likelihood is that the size of this offence was more driven by the repeated nature of security breaches at Surrey Council than the actual offence itself.
This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.
The three offences in question were on 17 May 2010 (when the 241 sets of details were sent out), 22 June 2010 (when an unspecified number of breaches took place) and 21 Jan 2011 (which appears to be an almost minor offence and no data left the Council’s network).
Reading through the ICO findings, it appears the Council failed to learn from the trigger incident (17 May 2010) and although it may have put some control measures in place these were not effective enough. There is a sad fact that even with the best security controls in place, breaches will still occur – however, it seems that in this case the ICO felt that the Council didn’t do enough to make amends.
Christopher Graham, UK Information Commissioner, stated: (emphasis ours)
Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.
This is probably the most salient lesson to take away from the fine on Surrey County Council.
As we so often state, do not wait until the ICO is investigating you to build security into your business process.