Data Protection

ISO 27001 Certification, Data Protection Act & Data Security Consultancy

ICO DPA Breach - Monetary Penalty Notice

Don't let the ICO give you one of these for breaching the Data Protection Act (DPA)

Forthcoming changes to data and security legislation in the UK could lead to hefty fines for any institution or company that is not compliant under the Information Commissioners Office (ICO) Data Protection Act (DPA) rulings.

With the DPA now firmly in place, and many organisations struggling to achieve the mandated standards, how can you ensure (and if audited evidence to the ICO) that your organisation is fully compliant with current legislation? With all the changes ahead: European Data Directive; amendments to Payment Card Industry Data Security Standards (PCI DSS); and Privacy & Electronic Communications Regulations (PECR), where hefty monetary fines can be imposed for breaches, it seems compliance and legislation is going to be at the top of the agenda for many management teams.

Information Assurance is a difficult subject, made more so by being objective until you have achieved certification. If you have not achieved current overall certification [ISO/IEC 27001), which standards do you have and are they still active? Specialist independent advice and guidance to help you ascertain your organisational risk can be key.

We have substantial experience in data security, process compliance and ISO 27001. We are currently helping educational institutions, amongst others, to comply with the latest security standards and directives, and are available to help you ascertain and mitigate your organisational risk, and implement key standards to ensure your business does not suffer either data breaches or the hefty fines that can be imposed.

You may be “lucky” and get away with giving the ICO an undertaking, although that will most likely lead to an urgent need for costly and tightly time-pressured remedial work, but you could well be hit with a large fine. By way of examples:

  • Scottish Borders Council was recently [fined £250,000 by the ICO[]] for allowing a third-party company it outsourced work to to dispose of paper records in an insecure manner.
  • Torbay Care Trust was recently fined £175,000 by the ICO for publishing sensitive details of NHS staff, and ordered to make payment of the fine within a one month period.
  • Mr Ian Potter, the headteacher of Bay House School in Hampshire, was recently forced by the ICO to sign an undertaking to improve data security measures following a nationally reported data hack by a pupil;
  • We recently worked with an independent school that wishes to remain anonymous, following repeated DPA breaches that we identified, where staff illegally released sensitive data relating to children and their families. We helped the school to mitigate the damage caused by the data breach, put policies in place to prevent a recurrence, and saved it a potentially substantial fine. (Note: In the event of an independent school breaching the DPA it is the governors and headteacher who are ultimately liable: the former as directors of the business and the latter by virtue of delegated powers, and it’s a criminal matter rather than civil if the data relates to vulnerable persons (i.e. children). The negative publicity associated with prosecution by the Information Commissioners Office (ICO) will do nothing to reassure prospective parents, and a substantial fine that could take 5 or more years to pay off will effectively wipe-out any and all fund-raising activities over the same period.)

Here is the full list of ICO Prosecutions, Fines, Undertakings & Enforcement Notices so you can better inform yourself as to the potential risks you face.

The costs of “getting it right” can be almost trivial compared with the costs of failing to do so, with each serious breach attracting a potential £500,000 maximum fine since 6 April 2010. The ICO guidance on how monetary penalties (fines) are calculated shows that the fines are more likely to be towards the top end of the scale if either (let alone both) the following apply:

  • The data relates to children or vulnerable adults; or
  • The breaches are repeated (for example as a result of poor policies) rather than a one-off.

Most people running a business are experts in their field. For example: a restaurant owner knows about food and marketing; hospital trusts and their staff specialise in delivering medical care; school governors, headteachers, and their staff are experts at relating to and educating children… We are experts at identifying loopholes in your organisation’s processes, and defining policies and procedures that will plug them and prevent inadvertent data leakage. We can even help you train your staff, if you wish. All our specialist Data Security Consultants hold the necessary ISO 27001 accreditation and experience to carry out this work, and have been security cleared to high levels by either MoD or GCHQ, so you can be sure that everything you tell us will be treated with discretion.

If you are in any way uncertain as to your compliance status, and would prefer to play safe and ensure that your organisation is not at risk of a huge potential fine, we will be happy to help you. In the first instance we will usually meet to discuss any specific concerns you may have, following which we will visit and carry out an audit of your systems and processes; you will get our written report and recommendations within a few business days thereafter.

If you would like to find out more about us, and how we can help you, please either take a look at our case studies or contact us for a preliminary discussion in the utmost confidence.

Comments are closed.