Ealing Council and Hounslow Council fined by ICO – Unencrypted Laptops

Both Councils Fined

The Information Commissioner’s Office (ICO) today served Earling Council and Hounslow Council with monetary penalties for serious breaches of the Data Protection Act after the loss of two unencrypted laptops containing sensitive personal information.

The two laptops contained details of around 1,700 individuals and was stolen from an employees home. Ealing Council provides an out of hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals.
Almost 1,000 records were clients of Ealing Council and almost 700 were clients of Hounslow Council. Both laptops were password protected but were unencrypted.

Ealing Council – FINED £80,000

Hounslow Council – FINED £70,000

The ICO issued Ealing Council with an £80,000 penalty explaining that it breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies. This method of working has scarily been in place for several years and there were insufficient checks that relevant policies were being followed or understood by staff.
Hounslow Council breached the Data Protection Act by failing to have a written contract in place with Ealing Council. Hounslow failed to also monitor Ealing Council’s procedures for operating the service securely.
Deputy Commissioner, David Smith, said:
“Of the four monetary penalties that we have served so far, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough.”
Following the incident, both Councils also had to fork out in time and money to notify all individuals affected.
Stuart Gilbertson, Managing Director of Consider IT Limited, said:
“This is the first time two Councils have been fined as part of one case. Both fines reflect the importance of adhering to the Data Protection Act. The fines clearly demonstrate the seriousness of being lackadaisical about your clients data and what consequences there are for when things go wrong. It costs roughly £100 to encrypt a laptop, and not much more to put in proper procedures. Compare that with the £80,000 fine that one Council has received today.”

The monetary penalty served on Ealing Council can be found here (PDF).

The monetary penalty served on Hounslow Council can be found here (PDF).

For more information about ensuring your business complies with the Data Protection Act, have a look at our encryption services page.