Largest ICO fine issued to Powys County Council for two breaches of sensitive data
The Information Commissioner's Office (ICO) has issued its largest monetary penalty to date with Powys County Council ordered to pay £130,000 after child protection case details were sent out incorrectly in two instances.
It is in connection with two breach incidents. The first was reported to the ICO in June 2010 when a social worker sent information relating to a vulnerable child to the same recipient, with the child known to the recipient. The ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures and warned that it would face further action should a similar incident occur again.
The second breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. The ICO said it understood that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked by the sender.
The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient's mother via her MP.
Anne Jones, assistant commissioner for Wales, said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It's the most serious case yet and it has attracted a record fine.
“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”
The ICO has also issued a legal notice ordering the council to take action to improve its data handling and warned that failure to do so will result in legal action being taken through the courts.
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems,” said Jones.
Jonathan Armstrong, lawyer at Duane Morris LLP, said: “Local authorities have to approach data protection differently, people will print information to a shared printer and in some instances these reports will be up to 60 pages long and there is a tendency to collect it later.
“We are seeing the ICO bring more cases for manual data security and I think the ICO is right; you have got to have a holistic approach to information management. This may not be the end of the story at the monetary notice says that there may be a civil case brought by the victim.”
Armstrong also said that the council had effectively wasted taxpayers' money through staff not observing the Data Protection Act.
Tony Pepper, CEO of Egress Software Technologies, said the cases have set a clear precedent.
He said: “This record fine places social services in every local authority firmly in the spotlight, and we believe these fines are only the beginning. This concerning trend reinforces that it's more important than ever to change the way we share confidential data. 'Protection that follows the data' and multi-factor authentication all play their part in ensuring that only authorised recipients access confidential information.”
The ICO's enforcement notice places a legal requirement on the council to make further improvements to its data protection practices and requires that all staff must be trained on how to follow the council's guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.