Council and firm both fined over data breaches
The Information Commissioner served the monetary penalty on Hertfordshire County Council for serious breaches of the Data Protection Act.
A separate fine of 60,000 was also imposed on Sheffield-based employment services company A4e over the theft of a laptop containing personal information about 24,000 people who had used community legal advice centres in Hull and Leicester.
Hertfordshire County Council reported the breaches in June and said today that it accepted the Commissioner's findings. Processes were now in place to prevent a repeat.
The first misdirected fax, which was meant for barristers' chambers, was sent to a member of the public.
The council subsequently obtained a court injunction prohibiting disclosure of the details.
The second fax, sent 13 days later by a different employee, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions.
Instead of going to Watford County Court, it was mistakenly sent to a barristers' chambers unconnected with the case.
In the A4e case, which also happened in June, the firm was punished for issuing an unencrypted laptop containing sensitive personal information including names, dates of birth, postcodes, income level and details of alleged criminal activity to an employee working from home in London, which was subsequently stolen.
As well as reporting the incident to the ICO, the company notified the people whose data could have been accessed.
Information Commissioner Christopher Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case.
"I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.
"The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data."
A4e chief executive Andrew Dutton said: "We fully accept today's judgment and will continue to co-operate with the ICO."