ICO takes further enforcement action using all available tools

On 6 August the ICO issued a monetary penalty of £175,000 on Torbay Care Trust after sensitive personal information relating to 1,373 employees was published on the Trust’s website. The spreadsheet included personal data, such as names, pay scales, dates of birth and National Insurance Numbers, and sensitive details about race, religion and sexual orientation. The data was publicly available for 19 weeks.

The ICO announced on 12 July that it has fined St George’s Healthcare NHS Trust £60,000 for accidentally sending vulnerable individuals' sensitive medical details to the wrong address. The two letters contained confidential and highly sensitive information:  details of medical history, findings of examinations, medical opinions and test results.

Also recently the ICO issued an Enforcement Notice on Southampton City Council after the council breached the Data Protection Act by requiring taxi operators to record all conversations and images while the vehicles were in use, and an Undertaking on Marston Properties for losing personal details of 37 staff when a filing cabinet the information was stored in was sent to a recycling centre and crushed.

Finally, a Lancashire bar owner was prosecuted by the ICO on 2 August for failing to register his premises’ use of CCTV equipment. The owner was fined £100 and ordered to pay £250 prosecution costs. While this is just the fourth prosecution case this year, the ICO is making good use of its other enforcement methods. Since the beginning of January, the Commissioner has issued Undertakings on 29 organisations, and issued 14 fines ranging from £1,000 to £325,000.

See further details of all these and other recent enforcement actions.