This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

ICO fines Surrey County Council £120,000 for multiple email privacy failures

Share this article:

The Information Commissioner's Office (ICO) has issued its sixth monetary penalty to Surrey County Council for a ‘serious breach of the Data Protection Act'.

The council has been fined a monetary penalty of £120,000 after three incidents of misdirected emails.

The first incident, and what the ICO deemed to be the most significant of the three, took place on 17th May last year. A member of staff working for one of the council's adult social care teams emailed a file containing sensitive personal information relating to 241 individuals' physical and mental health to the wrong group email address.

The group email address included a large number of transportation companies, including taxi firms and coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.

A second misdirected email sent on 22nd June led to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.

Finally, in a third incident, the council's children services department sent confidential sensitive information, which included data relating to an individual's health, to the wrong internal group email address on 21st January. While the data did not leave the council's network, this breach led to sensitive data being circulated to individuals who should not have received it.

The ICO said that the penalty of £120,000 recognises the council's failure to ensure that it had appropriate security measures in place to handle sensitive information.

Information commissioner Christopher Graham said: “This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.

“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”

The fine marks the sixth fine the ICO has issued since its powers were increased in April 2010. The first and second were to A4E and Hertfordshire County Council in November last year, the third and fourth to Ealing and Hounslow Councils in February this year, while former ACS:Law owner Andrew Crossley was fined last month.

The council has now taken action to improve its policies on information security to include the development of an early warning system that alerts staff when sensitive information is being sent to an external email address. The council has also improved the training it provides to its staff and will ensure that any group email addresses are clearly identifiable.

A Surrey County Council spokesman told getsurrey.co.uk: “These incidents should never have occurred and we have apologised to the people involved. Immediate action has been taken to prevent this happening again.

“We accept the commissioner's findings but feel the money we were fined by another public sector organisation would have been better spent making further improvements in Surrey.”

Ed Rowley, senior product manager at M86 Security, said: “Human error will always be a factor where email communication to multiple recipients is involved. However, there are plenty of tools available that restrict email content to the correct external and internal recipients and minimise that risk.

“There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the council's management.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...