Ealing Council and Hounslow Council have been fined a total of £150,000 by the Information Commissioner’s Office (ICO) for losing two unencrypted laptops containing sensitive information.
The laptops, containing the details of around 1,700 individuals, were stolen from an employee’s home. Almost 1,000 of the individuals were clients of Ealing Council and the rest were clients of Hounslow Council.
Both laptops were password protected but unencrypted, despite this being in breach of both councils’ policies.
Ealing Council provides an out-of-hours service on behalf of both councils, which is operated by nine staff who work from home. The team receive contact from a variety of sources and rely on laptops to record information about individuals.
ICO said there is no evidence to suggest that the data held on the computers has been accessed and no complaints from clients have been received by the data controllers to date. But there was a "significant risk" to the clients’ privacy, the ICO said.
As a result, the ICO has fined Ealing Council £80,000, and has fined Hounslow Council £70,000. The ICO said Ealing Council breached the Data Protection Act by issuing an unencrypted laptop to a member of staff in breach of its own policies.
These policies have been in place for several years and there were insufficient checks that relevant policies were being followed or understood by staff, said the ICO.
It added that Hounslow Council breached the Act by failing to have a written contract in place with Ealing Council. Hounslow also did not monitor Ealing Council’s procedures for operating the service securely.
ICO deputy commissioner David Smith said, “Of the four monetary penalties that we have served so far on organisations, three concern the loss of unencrypted laptops. Where personal information is involved, password protection for portable devices is simply not enough."
Smith said, “The penalty against Hounslow Council also makes it clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else, unless they ensure that the information is properly protected."
The latest fines come after ICO warned that around 13,000 councillors were potentially breaking the Data Protection Act after not registering as data controllers.
Councillors who handle citizens' personal data need to take the DPA "seriously", the ICO said, and check if they need to register as data controllers.
ICO said that while 6,000 councillors had registered, around 13,000 have not when it may have been necessary.