ICO Flexes its Muscles in Warm-up for GDPR – Double offender fined £325,000

The current cap on Monetary Penalty Notices for Data Protection Act 1998 breaches is £500,000. That cap is going up to EUR 20,000,000 tomorrow with the coming into force of GDPR and the Data Protection Act 2018 and, to celebrate the imminent increase in its powers, the Information Commissioner’s Office has been flexing its muscles.

The Crown Prosecution Service has been given a substantial £325,000 fine from the ICO for a second data breach, despite having been fined £200,000 in November 2015 for a breach of a similar nature.

The CPS lost encrypted DVDs containing footage of 15 victims of child sexual abuse. The DVDs were left in a shared reception in Nov 2016 without tamper-proof packaging during silent hours and consequently lost, although this was not discovered for a month. Victims were not told of the loss until months later in March 2017.

The DVDs are still currently missing, although the CPS has rolled out a digital transfer system for such evidence to prevent future breaches.On 21 May the ICO also handed out the first monetary penalty notice to a university.  The University of Greenwich has been fined £120,000 following a serious breach involving the personal data of 20,000 staff and students. The breach centred on a training conference microsite developed by an academic and a student in 2004 which was subsequently left unsecured.

Hackers first compromised the site in 2013, with multiple further attacks in 2016 seeing the vulnerability exploited, allowing access to other areas of the University’s servers.

Contact details of students and staff were posted online by the attackers, as well as the more serious breach affecting the sensitive data of 3,500 people such as medical records and details of learning difficulties.

The ICO commented “Whilst the microsite was developed in one of the University’s departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution.”

The Commissioner found that the university did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur, i.e. for ensuring that its systems could not be accessed by attackers.

These fines highlight the serious consequences of data breaches with the fields of education and government services also coming under scrutiny.  These fines have been handed out whilst the cap, under the Data Protection Act 1998 is £500,000.  We have yet to be given any guidance as to the levels of fines under the new cap of €20,000,000 or 4% of an organisation’s annual turnover which will be imposed come Friday when the GDPR and Data Protection Act 2018 come into force.

Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with the DPA, PECR and preparing for the GDPR and ePrivacy Regulation including providing training.  We offer a range of fixed fee Data Protection support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to reduce the penalty given. If you have any questions, please contact me on 01254 222451 or at dan.crayford@forbessolicitors.co.uk.

Dan Crayford

About Dan Crayford

Dan joined Forbes in 2014, gaining experience in complex insurance litigation which involved advising clients in the construction and public sectors. In early 2017, Dan joined the Commercial team and moved to specialise in advising clients in the public, quasi-public and third sectors, predominantly in the fields of construction, procurement, social housing regulation, and education governance. Dan has a particular interest in contracts and procurement law, with a focus on advising registered providers of social housing, educational institutions, and other public and charitable organisations. Dan has worked with a range of clients in these sectors including registered providers of social housing of all sizes, maintained schools to MATs, other charities and community entities including CIOs, and CICs. Dan also regularly advises organisations from all sectors on data protection and freedom of information matters, including GDPR, PECR, and Environmental Information Regulations.
This entry was posted in Corporate & Restructuring, GDPR, Uncategorised.