The perils of email – £120,000 fine imposed for sending emails to the wrong recipients (TLT LLP)

The perils of email – £120,000 fine imposed for sending emails to the wrong recipients

Updated July 2011

We are all aware of how easy it can be to send an email to the wrong recipient. Unfortunately for Surrey County Council, such a simple error resulted in a fine of £120,000 imposed by the Information Commissioner’s Office (ICO). The fine is the largest imposed on a single organisation since the ICO was granted its enhanced powers to issue fines in April 2010. The Council was fined for three serious breaches of the Data Protection Act over the last year.

What happened?

The first breach occurred on 17 May 2010 when a Council employee inadvertently emailed personal information relating to 241 adult social care service users to the incorrect group email address. An attempt was made to recall the email but the Council could not confirm that the recipients had destroyed messages.

On a further two occasions, the Council sent sensitive personal data to the incorrect recipients.

The monetary penalty notice issued by the ICO stated that there had been a serious contravention of section 4(4) of the Data Protection Act. The Council had failed to take appropriate measures against unauthorised processing such as providing employees with appropriate IT training and support, establishing name conventions for group email distribution lists and ensuring the encryption of emails containing sensitive personal data.

The ICO also stated that the contravention was of a kind likely to cause substantial distress to individuals who would know that confidential sensitive personal data has been disclosed to a large number of people that had no right to know that information. The Information Commissioner further said that the fine took into account the serious nature of the initial breach and the occurrence of a further two similar breaches.

Comment

The facts of this case are similar to other cases where fines have been imposed by the ICO. Organisations who deal with sensitive data relating to vulnerable people need to take extra care to ensure that personal data is kept securely, that appropriate procedures are in place to protect data and that staff are properly trained in how to handle sensitive personal data – in particular when sending sensitive personal data to third parties (whether by email or other means). If breaches occur and sensitive personal data is disclosed to unauthorised recipients there is a high risk that the ICO will impose a fine.

We recommend that all organisations that handle sensitive personal data review their data handling procedures and staff training. You must ensure that appropriate technical measures have been taken to transmit sensitive personal data securely and that employees understand their duties in relation to data protection and the procedures to be followed when sending out sensitive information.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.

ICO given new powers to impose fines for marketing breaches (TLT LLP)

ICO given new powers to impose fines for marketing breaches

The Information Commissioner’s Office (ICO) has been granted new powers as a result of an amendment to the UK’s Privacy and Electronic Communications Regulations (PECR). The new powers, which came into effect on 25 May 2011, include:

Extended financial penalties: the ICO can impose a penalty of up to £500,000 for the most serious breaches of the PECR. This covers nuisance marketing emails, texts and phone calls.
Increased investigatory powers: the ICO can require telecoms companies and Internet Service Providers (ISPs) to provide information needed to investigate breaches of the PECR.
Compulsory notification when breaches occur: telecoms companies and ISPs must notify the ICO, and their customers, when a personal data breach occurs. A fixed penalty of £1,000 per offence will apply where personal data breaches are not notified.
Increased audit powers: the ICO can audit telecoms companies and ISPs for compliance with personal data breach notification requirements.
New rules for websites using cookies: the ICO will be responsible for ensuring compliance with new cookie consent requirements. (see Related publications).

The ICO will be issuing guidance on their new enforcement powers but the date for release is yet to be confirmed.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.