Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.
And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.