Data Protection penalties issued by the ICO

Recruitment company hit as, for the first time, the Information Commissioner’s Office (ICO) exercises new powers to serve penalties for serious data protection breaches.

We reported earlier this year that the enforcement powers of the ICO had been extended. The new powers allow the ICO to issue a penalty notice up to the value of £500,000 in respect of serious contraventions of the 8 Data Protection Principles.

The ICO has now announced the first two such penalties to be issued.

  • The first fine amounted to £100,000 and was imposed on Hertfordshire County Council after it erroneously faxed sensitive information to members of the public, including information regarding a child sexual abuse case.
  • The second fine was imposed on a company offering recruitment services. This time the fine was for £60,000 after the theft of a laptop which contained the personal data of 24,000 people. An employee had been allowed to take the laptop away from the office for the purpose of working at home. The employee’s home was burgled and the laptop taken.

The high figures involved in each of these cases highlights the importance of the Data Protection Act (DPA) and the potential risks of non-compliance. Lawspeed clients are advised to take care to use personal data in accordance with the DPA only, and to prevent the unauthorised loss, use or destruction of personal data. This may be particularly pertinent for recruitment consultancies which typically hold large databases of personal data relating to their candidates. Recruiters may wish to reconsider their policies if consultants are permitted to work from home or take personal data off-site.

If you need advice about the Data Protection Act, including the practicalities of compliance or the relevant contractual provisions in your candidate-facing contracts, please get in touch.

Court rejects review of new travel expenses law
The ARC to work with BIS on AWR guidance