Midlothian council has been hit with a monetary penalty of £140,000 by the Information Commissioner's Office (ICO) following three breaches involving children's social service reports being sent to the wrong recipients.
The penalty of £140,000 was delivered to the Scottish council for five serious data breaches that occurred between January and June 2011. The first breach occurred in January, but did not come to light until March, and did not prevent further similar incidents taking place in May and June.
One of the breaches occurred when papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information. In another case, the minutes of a child-protection conference were sent in error to the former address of a mother's partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children's mother, who made a complaint to her social worker about this incident.
Ken Macdonald, assistant commissioner for Scotland, noted that this is the first penalty that it has served against an organisation in Scotland.
“Information about children's care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed,” he said.
“The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”
The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details it holds are up-to-date. The ICO has ordered the council to take action to keep the personal information it handles secure, after its investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.
The council will also update its existing data protection policy to include specific provisions for the handling of personal data by social services staff. Any outgoing letters containing sensitive or confidential data will also be checked by another member of staff before being sent. The council's data protection training scheme will also be improved.
The last fines issued
by the ICO were in November for "serious email errors" when two of five emails, sent to the wrong NHS employee, contained highly sensitive and confidential information about a child's serious case review.
Last week's proposed changes by the EU to the Data Protection Directive included mandatory reporting of "major" data breaches within 24 hours, although the ICO has called for a rethink on some areas.
Marc Lee, director EMEA at Courion, said: “Punishments for public sector data breaches hit a new high water mark today with the ICO imposing its biggest fine to date. Rising fines might suggest the ICO's desperation to ram home the need for public authorities to improve data protection policies and enforcement.
“While the ICO says this again raises the need for better training and checks, the failure to spot these contraventions does highlight how difficult it is for an organisation to really understand, assess and be in the strongest possible position to resolve access risk issues.”