This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

ICO fines Surrey County Council £120,000 for multiple email privacy failures

Share this article:

The Information Commissioner's Office (ICO) has issued its sixth monetary penalty to Surrey County Council for a ‘serious breach of the Data Protection Act'.

The council has been fined a monetary penalty of £120,000 after three incidents of misdirected emails.

The first incident, and what the ICO deemed to be the most significant of the three, took place on 17th May last year. A member of staff working for one of the council's adult social care teams emailed a file containing sensitive personal information relating to 241 individuals' physical and mental health to the wrong group email address.

The group email address included a large number of transportation companies, including taxi firms and coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.

A second misdirected email sent on 22nd June led to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.

Finally, in a third incident, the council's children services department sent confidential sensitive information, which included data relating to an individual's health, to the wrong internal group email address on 21st January. While the data did not leave the council's network, this breach led to sensitive data being circulated to individuals who should not have received it.

The ICO said that the penalty of £120,000 recognises the council's failure to ensure that it had appropriate security measures in place to handle sensitive information.

Information commissioner Christopher Graham said: “This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.

“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”

The fine marks the sixth fine the ICO has issued since its powers were increased in April 2010. The first and second were to A4E and Hertfordshire County Council in November last year, the third and fourth to Ealing and Hounslow Councils in February this year, while former ACS:Law owner Andrew Crossley was fined last month.

The council has now taken action to improve its policies on information security to include the development of an early warning system that alerts staff when sensitive information is being sent to an external email address. The council has also improved the training it provides to its staff and will ensure that any group email addresses are clearly identifiable.

A Surrey County Council spokesman told getsurrey.co.uk: “These incidents should never have occurred and we have apologised to the people involved. Immediate action has been taken to prevent this happening again.

“We accept the commissioner's findings but feel the money we were fined by another public sector organisation would have been better spent making further improvements in Surrey.”

Ed Rowley, senior product manager at M86 Security, said: “Human error will always be a factor where email communication to multiple recipients is involved. However, there are plenty of tools available that restrict email content to the correct external and internal recipients and minimise that risk.

“There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the council's management.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Hackers tap flaws in Amazon cloud to host DDoS botnets

Hackers tap flaws in Amazon cloud to host ...

Profitable and easy-to-use vulnerability exploited by cybercriminals says security researcher

China allegedly behind attack on Canadian research group

China allegedly behind attack on Canadian research group

One day on from claims that Chinese hacker group 'Comment Crew' was behind the theft of confidential documents on an Israeli missile defense system, the country is also being cited ...

UK Lords slams EU ruling on "right to be forgotten"

UK Lords slams EU ruling on "right to ...

A committee sitting in the UK's House of Lords has said that the EU's ruling on the 'right to be forgotten', which requires companies to delete data on request where ...