A financial penalty of £80,000 has been imposed by the UK Information Commissioner on Norfolk County Council because of a serious breach of the Data protection Act involving three data subjects, one of whom is a vulnerable child.

The case is of particular interest in compliance terms for the following reasons:

• It throws further light on the considerations involved in a decision to impose a financial penalty.
• It gives an indication of the Commissioner's expectations with regard to a Data Protection policy and its support through training.
• It gives us an example of the Commissioner's expectations with regard to refresher training.
• It tells us what the Commissioner expects a data controller to know about the sensitivity of data and the potential consequences of a breach.

The circumstances of the case and the Commissioner's findings are set out below.

In April 2010 in the Children's Services Department of Norfolk County Council in the UK (the Data Controller for the purposes of the Data Protection Act) wrote a report for a conference about a child protection case. The father of the child who was the subject of the case did not attend the conference, so the social worker decided to write a report for him. The report was put into an envelope by the social worker, who then wrote the wrong address on the envelope, but leaving off the name of the father. The social worker then delivered the envelope to the address written on it, the wrong address, which happened to be the father's next-door neighbour.

The recipient opened the envelope and read the report, and only once they had read it did they realise it had been sent to them in error. They immediately contacted Norfolk Social Services to report that they had received a report in error.

The report included highly confidential information about the child's emotional health and wellbeing and contained comments expressing concern about the mother's refusal to suspend the child's contact with the father. The report was returned to Norfolk County Council Social Services and by the unintended recipient who also signed an undertaking not to reveal anything about the contents of the report to anyone else.

Formal complaints were lodged by both the mother and the father of the child to the data controller and the General Social Work Council.

At the time of the breach, there was a Data Protection policy posted on the data controller's intranet which recommended that sensitive information be sent by a trackable service such as that of a courier or recorded post. The social worker may not have been aware of this because they had only been in post for nine months and had not yet completed the relevant e-learning course. The data controller did not have a procedure set up for recording the training of staff on Data Protection. However, even if the social worker had known that they should send the report by a trackable service, it would still have been received by the wrong recipient because the envelope did not include the name of the father and had the wrong address written on it.

The data controller has written letters of apology to the mother, the father, and the unintended recipient. It has sent an email to all staff reminding them of their responsibilities; the social worker has been given a warning and has been required to complete the Data Protection e-learning course. The data controller has also agreed to ensure that all members of staff receive Data protection training with a refresher every three years. Staff training is to be monitored and the data controller has agreed that a peer checking procedure will be introduced when documents which include sensitive data are to be sent or delivered.

The Commissioner has decided to impose a monetary penalty because of the seriousness of the breach. In particular, the data controller did not have procedures set up to ensure that unauthorised processing of personal data did not take place - in this instance for example peer checking to ensure that address details are correct. The Commissioner does not consider that the measures which had been taken were sufficient considering the potential harm that a potential breach involving such sensitive personal data could cause.

The Commissioner found that it was highly likely that a breach would cause substantial distress to the child and the child's parents, and that also the possibility of further dissemination of the sensitive information to third parties would also cause distress even though no evidence has come to light so far of any such enclosure. The commissioner found that the fact that the unintended recipient is known to the data subjects.

A further finding was that under section 55 the data subject ought to have known that such a breach was possible or likely, and adequate measures should have been taken to prevent this. The Commissioner's reasoning is that social workers regularly handle very sensitive information, the loss of which would be likely to cause significant distress, and the data controller should have known this.

Summary

The nature of the contravention was that confidential and highly sensitive personal data was disclosed to a third party. The information related to three data subjects one of whom was a vulnerable child. The contravention was serious because of the highly sensitive nature of the data disclosed.

The effect of the contravention was that the identity of the data subjects was disclosed to the father's next-door neighbour. Some of the data is now in the public domain. The contravention was one of a kind likely to cause substantial distress to the data subjects.

The contravention was found to be due to the negligent behaviour of the data controller in failing to take adequate steps to prevent unauthorised disclosure of personal data.

The Commissioner considers that the data controller has sufficient financial resources to pay the penalty without this causing undue hardship.

The mitigating factors which were taken into account were that no previous cases of such breaches by the data controller have come to the attention of the Commissioner. The unintended recipient has signed a non-disclosure agreement and there is no evidence so far of further dissemination of the information. The incident was voluntarily disclosed, a detailed investigation has been carried out, substantial remedial measures have been taken and the data controller cooperated fully with the ICO.

Other matters taken into consideration include the fact the liability to pay will fall to the public purse, and there is likely to be substantial damage to the reputation of the data controller as a result of this incident.

One of the reasons for imposing a financial penalty is to draw attention to the importance of compliance with the Data Protection Act.

The penalty was fixed at £80,000, with a reduction to £64,000 is full settlement is made before 6 March 2012. There is a right of appeal to the First Tier Tribunal of the General regulatory Chamber.

In April 2011 a file containing sensitive data about a child in the personal care of the Council was stolen from a public house. The file was in a bag belonging to a social worker who worked in data controller's Children and Young Person's Department. The social worker had put the file in the bag so that he could travel straight to a meeting about the case the next morning without calling at the office. The social worker put the bag down between two chairs in the pub where he was sitting with colleagues.

At least seven data subjects were affected by the loss of the file. These included the child, the child's solicitor, both of the child's parents and their respective solicitors and the social worker. There were details of a sexual abuse case which had resulted in a child protection order, and included in the file were reports which included details of the sexual abuse, extracts from psychiatrist reports and very sensitive information from a foster carer about the child's behaviour.

The data controller had a data protection policy posted on the intranet, and this included a list of dos and don'ts, as well as requirements to keep sensitive data safe and secure at all times. The data controller had apparently told the ICO that all members of staff receive training on compliance with the Act, however, the onus was on staff to inform themselves and keep themselves up-to-date, and this particular social worker did not appear to have received training about the Data Protection policy. The ICO found that the data controller did not check that social workers had received training despite the fact that they regularly handled highly sensitive personal data.

Once the social worker realised that the bag containing the file was missing, he informed the police, however the bag has never been found. The data controller informed the subjects and the Court of the loss of the file. An email was sent out to all staff with a number of reminders on Data Protection matters, including that they should not take sensitive data out with them on social occasions.

Further action undertaken by the data controller includes refresher training for staff, regular reminders about the importance of keeping information secure, making greater use of encrypted laptops and USB drives to carry information outside the office, and the carrying out of a Data Protection audit.

Nevertheless, the Commissioner has decided that a serious breach of section 4 (4) of the Data Protection Act and a failure to comply with Principle Seven. The ICO found a failure to take appropriate technical and organisational measures to ensure a serious data loss did not occur. Among the failings was a lack of a policy suited to the work of the data controller, a lack of adequate staff training, a lack of proper security measures for bags when taking data out of the office, and a lack of consideration of alternative measures such as encrypted mobile devices. The level of security was not adequate considering the sensitivity of the data and the risk of its loss.

The Commissioner was satisfied that the loss of data was serious and likely to cause significant distress to the data subjects. The fact that the sensitive content of the file might be further disseminated and even misused was likely to significantly increase the distress, even if there was no evidence so far that such dissemination had taken place. Also taken into account was that one of the data subjects was a vulnerable child. Furthermore, the loss of the data could prejudice Court proceedings.

Confidential and sensitive personal data was lost and has not been recovered. It was a serious contravention because of the very sensitive nature of the data involved.

The contravention was likely to cause significant distress because. There was a potential for extensive media coverage about the personal lives of the data subjects. There was also the potential to compromise an ongoing legal case and adversely affect the administration of justice.

The Commissioner found that the breach occurred due to the negligent behaviour of the data controller to take appropriate technical and organisational measures to prevent a breach.

The mitigating factors which the ICO took into account were that no other beaches on the part of the data controller have come to the attention of the ICO, the breach was reported swiftly. No complaints have been received from, or on behalf of, the data subjects, there is no evidence so far that there has been further distribution of the sensitive data, significant remedial action has been taken and the data controller has been fully cooperative with the ICO. The Commissioner has born in mind that a financial penalty must be paid from the public purse.

The financial penalty was set at £100,000. It is to be paid to the Consolidated Fund at the Bank of England rather than the ICO. Part of the rationale for imposing such a penalty is to promote compliance with the Act.

Three new e-crime hubs - one in Yorkshire and the Humber, one in the Northwest and one in East Midlands, were recently launched at the Association of Chief Police Officers (ACPO) e-crime conference in Sheffield.

Cyber crime has been identified in the National Security Risk Assessment as a 'tier one' threat alongside international terrorism, an international military crisis, and a major accident or natural hazard requiring a national response.

The Government has allocated £30m spread over a four-year period to improve the national capability to investigate and combat cyber crime.

The three new units will work alongside the Metropolitan Police Centre e-crime Unit (PCeU) which was established in October 2008 as part of the National e-Crime Programme.

ACPO lead on e-crime Deputy Assistant Commissioner Janet Williams said: "The Government has acknowledged a need to collaborate and provide a structured response to the cyber security of the UK and these three additional policing units are going to play a critical role in our ability to combat the threat.

"It is anticipated the hubs will make a significant contribution to the national harm reduction target of £504m. In the first six months of the new funding period alone we have already been able to show a reduction of £140m with our existing capability.

"While a training period is required before the hubs are fully functional they will undoubtedly provide an enhanced ability to investigate this fast growing area of crime and provide an improved internet investigation capability."

James Brokenshire, Minister for Crime and Security said: "Cyber crime is a threat locally and nationally, and every police force in the country has to deal with its impact on people and businesses in their area.

"As well as leading the fight in their regions, these units mark a significant step forward in developing a national response to cyber crime, which will be driven by the new National Crime Agency.

"The government has committed £650million in the fight against e-crime." The Minister continued.

According to official figures, within the first 18 months of activity, the central unit conducted seven operations across the England, Wales and Northern UK which resulted in an overall harm prevention figure of £83m; a 1:21 saving on funding.

PCeU Northwest, PCeU East Midlands and PCeU Yorkshire and the Humber will initially each comprise of three staff members (detective sergeant and two detective constables), and will operate by generating their own investigations, and in a supporting capacity to the Met's PCeU.

The WIPO Arbitration and Mediation Center has been appointed by ICANN as the exclusive provider of dispute resolution services for trademark based "pre-delegation" Legal Rights Objections under ICANN's New gTLD (generic top level domain) Program. This mechanism forms part of the available Trademark Rights Protection Mechanisms for New gTLDs.

WIPO has produced a FAQs (Frequently Asked Questions) page to support those who may wish to make a Legal Rights Objection.

Among the FAQs addressed are:

• What is a Legal Rights Objection?
• Does ICANN offer other types of objection options?
• What criteria will a panel use to determine the outcome of a Legal Rights Objection?
• When can a Legal Rights Objection be filed?
• How does a rights owner submit a Legal Rights Objection?
• Is it necessary for an applicant to file a response to a Legal Rights Objection?
• What are the main stages of a Legal Rights Objection?
• How many rounds of pleadings are involved?
• Are there hearings?
• Can the parties mediate/settle their dispute?
• How much does it cost to file/defend a Legal Rights Objection?
• Are there language requirements?
• Are there word/page limits?
• Who are the experts available for appointment?
• How is the expert panel appointed?
• What are the remedies available?
• What happens if there is more than one objection to an applied-for New gTLD?
• Is the panel's determination made publicly available?
• Do parties retain their court options?
• What is the WIPO Center's role in Legal Rights Objections?
• Background on WIPO's involvement in Legal Rights Objections
• What trademark protection mechanisms are available after new gTLDs are approved?
• Additional information on WIPO's involvement in the Domain Name System.

Further information can be found at: http://www.wipo.int/amc/en/domains/lro/

Germany has put on hold the signing of the controversial Anti-Counterfeiting Trade Agreement (ACTA), following expressions of concern from the country's Justice Ministry.

The BBC has reported that the Justice Ministry wants more time to consider the issues, and to see whether the EU approves ACTA.

Latvia, Poland, the Czech Republic and Slovakia have postponed signing up to ACTA against a background of rising protests across Europe about it.