The Information Commissioner (ICO) has served two organisations with the first monetary penalties for serious breaches of the Data Protection Act (DPA). The first penalty of £100,000 was issued to Hertfordshire County Council for two serious incidents where council employees faxed highly sensitive personal information to the wrong recipients. The second monetary penalty, of £60,000, was issued to an employment services company for the loss of an unencrypted laptop. The ICO has legal powers to ensure that organisations comply with the requirements of the DPA including the power to issue fines of up to £500,000 for serious breaches of the Data Protection Act. These new penalties should serve as reminders to FE and HE institutions that data protection compliance remains a fundamental responsibity. Further details of the penalites imposed can be found on the ICO website at - http://www.ico.gov.uk/.