Some local authorities may not be taking their data protection responsibilities seriously enough, a former deputy commissioner at the Information Commissioner's Office has warned, after a second local authority was fined in less than a month.

The ICO fined Gloucester City Council £100,000 after a cyber attacker accessed employees' sensitive personal information. Last month Basildon Borough Council was fined £150,000 for publishing sensitive information on its online planning portal.

David Smith, special adviser to magic circle firm Allen & Overy, said: 'These fines suggest that some local authorities are still not taking their data protection responsibilities seriously enough, despite previous warnings from the information commissioner. Local authorities are continuing to feature disproportionately highly amongst the role call of organisation fined by the commissioner for personal data breaches.'

Sarah Williamson

Sarah Williamson

Boyes Turner

A monetary penalty notice for the city council states that, from 7 April 2014, a vulnerability known as 'Heartbleed' received widespread publicity. That day a new version of the affected software was released which fixed the flaw.

On 17 April 2014, Gloucester's IT staff identified the vulnerability in its own systems. By that time a patch for the affected software was available. Gloucester intended to apply the patch in accordance with its update policy. However, the council was in the process of outsourcing IT services on 1 May 2014. Updating the software to address the vulnerability was overlooked.

In July 2014, staff were warned in an email that senior officers' Twitter accounts had been compromised. The attacker replied stating he had also gained access to 16 users' mailboxes.

Gloucester City Council is considering appealing the fine. Managing director Jon McGinty said: 'The council takes the security of its data very seriously and remains of the view that it did take swift and reasonable steps in 2014 to prevent a data breach as soon as it was alerted to the existence of this hacking vulnerability and the availability of a security patch. 

'The council believes that the penalty issued by the ICO will have a serious and detrimental impact on its finances, and the services that we will be able to provide to the residents of Gloucester in the future.'

Sarah Williamson, partner at specialist technology firm Boyes Turner, said the fines 'are a clear message to organisations that they need to get their house in order'.

Under the forthcoming General Data Protection Regulation (GDPR), the most serious breaches could attract fines of up to $20m or 4% of global annual turnover.

Williamson said: 'Organisations have been warned well in advance of GDPR coming into force, so ignorance will not be an excuse, and a failure to take any steps to comply will not go down well with the ICO who will come down hard on those who fail to take proactive steps.'

However, Smith predicted the regulation will not necessarily lead to the number or size of fines significantly increasing 'given [information commissioner] Elizabeth Denham's ongoing commitment to regulatory action by her office being both fair and proportionate'.