ICO penalties for not encrypting sensitive personal data

Peter Tomlinson pwt at iosis.co.uk
Fri Oct 26 10:25:58 BST 2012

Smart Card News has today reported:

Penalty Highlights Need for Encryption of Sensitive Data

The Information Commissioner's Office (ICO) is reminding organisations 
that sensitive personal information should be encrypted when being 
stored and sent electronically.

The news comes as Stoke-on-Trent City Council receives a monetary 
penalty of GBP 120,000 following a serious breach of the Data Protection 
Act that led to sensitive information about a child protection legal 
case being emailed to the wrong person.

Stephen Eckersley, Head of Enforcement at the ICO, said: "If this data 
had been encrypted then the information would have stayed secure. 
Instead, the authority has received a significant penalty for failing to 
adopt what is a simple and widely used security measure. It is 
particularly worrying that a breach in 2010 highlighted similar concerns 
around encryption at the authority, but the issue was not properly 

The breach happened on 14 December 2011 when 11 emails were sent by a 
solicitor at the authority to the wrong address. The emails included 
highly sensitive information relating to the care of a child and further 
information about the health of two adults and two other children. The 
emails should have been sent to Counsel instructed on a child protection 

The ICO's investigation found the solicitor was in breach of the 
council's own guidance which confirmed that sensitive data should be 
sent over a secure network or encrypted. However, the council had failed 
to provide the legal department with encryption software and knew that 
the team had to send emails to unsecure networks. The council also 
provided no relevant training.

** end quote **

I am concerned that such a penalty inflicted on a public sector body is 
monetary, thus presumably either going back to the Treasury or being 
used to fund the ICO. Why not instead require the guilty party to do the 
necessary work of disciplining of staff (and if necessary of Elected 
Members), training, and provision of the tools, do it quickly, and 
demonstrate (to the satisfaction of an inspector) that it has been done?


Peter Tomlinson
Iosis Associates

More information about the ukcrypto mailing list