24 May, 2018
The current cap on Monetary Penalty Notices for Data Protection Act 1998 breaches is £500,000. That cap is going up to EUR 20,000,000 tomorrow with the coming into force of GDPR and the Data Protection Act 2018 and, to celebrate the imminent increase in its powers, the Information Commissioner's Office has been flexing its muscles.
The Crown Prosecution Service has been given a substantial £325,000 fine from the ICO for a second data breach, despite having been fined £200,000 in November 2015 for a breach of a similar nature.
The CPS lost encrypted DVDs containing footage of 15 victims of child sexual abuse. The DVDs were left in a shared reception in Nov 2016 without tamper-proof packaging during silent hours and consequently lost, although this was not discovered for a month. Victims were not told of the loss until months later in March 2017.
The DVDs are still currently missing, although the CPS has rolled out a digital transfer system for such evidence to prevent future breaches.On 21 May the ICO also handed out the first monetary penalty notice to a university. The University of Greenwich has been fined £120,000 following a serious breach involving the personal data of 20,000 staff and students. The breach centred on a training conference microsite developed by an academic and a student in 2004 which was subsequently left unsecured.
Hackers first compromised the site in 2013, with multiple further attacks in 2016 seeing the vulnerability exploited, allowing access to other areas of the University's servers.
Contact details of students and staff were posted online by the attackers, as well as the more serious breach affecting the sensitive data of 3,500 people such as medical records and details of learning difficulties.
The ICO commented "Whilst the microsite was developed in one of the University's departments without its knowledge, as a data controller it is responsible for the security of data throughout the institution."
The Commissioner found that the university did not have in place appropriate technical and organisational measures for ensuring, so far as possible, that such a security breach would not occur, i.e. for ensuring that its systems could not be accessed by attackers.
These fines highlight the serious consequences of data breaches with the fields of education and government services also coming under scrutiny. These fines have been handed out whilst the cap, under the Data Protection Act 1998 is £500,000. We have yet to be given any guidance as to the levels of fines under the new cap of €20,000,000 or 4% of an organisation's annual turnover which will be imposed come Friday when the GDPR and Data Protection Act 2018 come into force.
Forbes Solicitors regularly advise a range of businesses on data protection law including compliance with the DPA, PECR and preparing for the GDPR and ePrivacy Regulation including providing training. We offer a range of fixed fee Data Protection support services and would be happy to discuss how we can assist you with your preparations with the aim of helping to minimise the occurrence of breaches, and in the event of a breach help to reduce the penalty given. If you have any questions, please contact me on 01254 222451 or at firstname.lastname@example.org.