Up to now, the Commissioner has not exercised his powers under sections 55A-E of the Data Protection Act 1998 to impose monetary penalties on data controllers for breaches of the Act. Today, he imposed his first two financial penalties.

Hertfordshire County Council has been handed a penalty of £100,000 for twice sending faxes containing sensitive personal data to members of the public in error. The first fax, which is the subject of an injunction preventing further details being disclosed, was intended for a barrister but sent to a member of the public. The second fax, which concerned child protection matters, was intended for a County Court. The errors both occurred in June 2010, and were both reported to the Commissioner by the Council itself.

Secondly, the employment services company A4e has been fined £60,000 after an unencrypted laptop containing personal details of 24,000 users of community law centres was stolen from an employee’s home. This too was reported to the Commissioner by A4e itself.