Who should pay the fine if a government body or enterprise is found guilty of breaching the security of confidential data the organization or the actual individual involved?
This is the interesting question raised this week by the decision by the UKs privacy watchdog, the Information Commissioners Office, to fine a local English council and an employment agency for being culpable for data loss. The ICO has this power under the Data Protection Act 1998, but the cases represent the first times fines have been levied.
The cases raise questions about what strategy governments in Asia are planning to take relating to data breach issues. In the UK and the US data breaches are required to be reported to the authorities, but most Asia governments have yet to make this mandatory.
For faxing confidential information to unqualified recipients, the Hertfordshire County Council has been fined £100,000 (US$156,000) for two serious incidents in June 2010 where council employees faxed highly sensitive personal information to the wrong people.
An ICO statement said the first incident, involving child sexual abuse, was before the courts, and the second involved details of care proceedings. The Council reported both cases to the ICO.
The first misdirected fax was meant for barristers chambers and was sent to a member of the public, the statement said. The council subsequently obtained a court injunction prohibiting any disclosure of the facts of the court case or circumstances of the data breach.
The statement said that the second misdirected fax, sent 13 days later by another member of the councils childcare litigation unit, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals opinions. The fax was mistakenly sent to barristers chambers unconnected with the case.
The ICO Commissioner ruled that: a monetary penalty of £100,000 was appropriate, given that the Councils procedures failed to stop two serious breaches taking place where access to the data could have caused substantial damage and distress. After the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.
The ICO said the second case, involving employment agency A4e, data breach also in June 2010 came after the company issued an unencrypted laptop to an employee for the purposes of working at home. The laptop contained sensitive personal information when it was stolen from the employees house.
The laptop contained personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester, the ICO statement said. An unsuccessful attempt to access the data was made shortly after the laptop was stolen. Personal details recorded on the system included full names, dates of birth, postcodes, employment status, income level, information about alleged criminal activity and whether an individual had been a victim of violence.
Sign up for CIO Asia eNewsletters.