Having been banging on about this for a while, it seems that ICO chief Christopher Graham has got his wishes and handed out his first Public Sector fine. This morning, it was announced that Hertfordshire County Council (HCC) has had the first substantial fine of £100,000 for a major breach.
This has been too long in the coming, and if in indeed the data relates to a child sex abuse case, they are perhaps extremely fortunate that the ICO did not hand out the full £500,000 fine. The implications of the case are threefold:
1. The nature of the breach is so unacceptable, it takes ones breath away. This sort of thing happens when processes and procedures are either not in place, not observed or not substantial. None of these three excuses are valid in any way, shape or form, and somebody needs to own the liability within the Authority
2. The money to pay the fine will have to be found from somewhere. One would assume that HCC has a contingency reserve to cover such screw ups, but there is the chance that this could affect frontline services. Given the post-CSR world we live in right now, it’s not like we have piles of cash money just sloshing around Local Government
3. Christopher Graham signposted this clearly in September at IA10. If he had beamed his messages onto the face of the moon, he couldn’t have been more upfront about it. He effectively said that it was no surprise that Local Authorities that have poor children’s services also handle data badly. We now know who he meant. One wonders if anyone was listening, and what is left to come. Bet they are all ears now.
There is a temptation to get bandwagonesque about this, and all pile into HCC. But frankly, this has been coming for so long, they can hardly complain. It is time for Data Security to go mainstream topically, and senior staff to get accountable.