Councils Fined For Breaching Data Protection Act

Ealing and Hounslow criticised after laptops containing personal information were stolen

Related Links

Sign up for weekly email newsletters from,, and

Ealing and Hounslow Councils have been fined £80,000 and £70,000 respectively by The Information Commissioner’s Office for breaching the Data Protection Act.

The fines came after the theft of two laptops containing sensitive personal information were stolen from the home of an Ealing Council worker. The laptops were password protected but unencrypted, a breach of the councils’ policies on data protection, and held personal information of service users in both Ealing and Hounslow, all of whom were alerted to the theft at the time. The laptops have never been recovered although there is no evidence to suggest the data held on the laptops has been accessed.

The ICO criticised Ealing Council for issuing an unencrypted laptop to a member of staff and for failing to carry out sufficient checks that relevant polices were being followed or understood by staff.

Although the service was run by Ealing, Hounslow Council was still served with a £70,000 monetary penalty. The ICO pointed out that the authority had breached the DPA by failing to have a written contract in place with Ealing and for failing to monitor Ealing Council’s procedures for operating the service securely.

ICO's Deputy Commissioner, David Smith, said: “The penalty against Hounslow Council also makes clear that an organisation can’t simply hand over the handling of the personal information it is responsible for to somebody else unless they ensure that the information is properly protected."

Terry Welsh, Borough Solicitor at the London Borough of Hounslow, said: "This is a very serious matter and one which has naturally and inevitably given rise to considerable concern on the part of Hounslow, Ealing and the Commissioner. The Commissioner has found that we had not done all that was required to ensure that its contract with Ealing contained sufficient safeguards to protect the data of the Council’s service users.

"We accept the Information Commissioner’s conclusion that we should have taken additional steps to ensure that in practice Ealing was applying security measures to the data it collected on our behalf. We are now acting to ensure that a rigorous programme of compliance monitoring is implemented. I would like to reassure the public that all our laptops are encrypted and we have strict information security policies in place to ensure personal data is adequately protected."

The power to impose a fine is part of the Commissioner’s overall regulatory regime and is used as both a sanction and a deterrent against non-compliance with data protection requirements.

“Both councils have paid the price for lax data protection practices. I hope all organisations that handle personal information will make sure their houses are in order – otherwise they too may have to learn the hard way," said David Smith.

February 8, 2011