This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Largest ICO fine issued to Powys County Council for two breaches of sensitive data

Share this article:

The Information Commissioner's Office (ICO) has issued its largest monetary penalty to date with Powys County Council ordered to pay £130,000 after child protection case details were sent out incorrectly in two instances.

It is in connection with two breach incidents. The first was reported to the ICO in June 2010 when a social worker sent information relating to a vulnerable child to the same recipient, with the child known to the recipient. The ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures and warned that it would face further action should a similar incident occur again.

The second breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. The ICO said it understood that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked by the sender.

The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient's mother via her MP.

Anne Jones, assistant commissioner for Wales, said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It's the most serious case yet and it has attracted a record fine.

“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO has also issued a legal notice ordering the council to take action to improve its data handling and warned that failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems,” said Jones.

Jonathan Armstrong, lawyer at Duane Morris LLP, said: “Local authorities have to approach data protection differently, people will print information to a shared printer and in some instances these reports will be up to 60 pages long and there is a tendency to collect it later.

“We are seeing the ICO bring more cases for manual data security and I think the ICO is right; you have got to have a holistic approach to information management. This may not be the end of the story at the monetary notice says that there may be a civil case brought by the victim.”

Armstrong also said that the council had effectively wasted taxpayers' money through staff not observing the Data Protection Act.

Tony Pepper, CEO of Egress Software Technologies, said the cases have set a clear precedent.

He said: “This record fine places social services in every local authority firmly in the spotlight, and we believe these fines are only the beginning. This concerning trend reinforces that it's more important than ever to change the way we share confidential data. 'Protection that follows the data' and multi-factor authentication all play their part in ensuring that only authorised recipients access confidential information.”

The ICO's enforcement notice places a legal requirement on the council to make further improvements to its data protection practices and requires that all staff must be trained on how to follow the council's guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Hackers tap flaws in Amazon cloud to host DDoS botnets

Hackers tap flaws in Amazon cloud to host ...

Profitable and easy-to-use vulnerability exploited by cybercriminals says security researcher

China allegedly behind attack on Canadian research group

China allegedly behind attack on Canadian research group

One day on from claims that Chinese hacker group 'Comment Crew' was behind the theft of confidential documents on an Israeli missile defense system, the country is also being cited ...

UK Lords slams EU ruling on "right to be forgotten"

UK Lords slams EU ruling on "right to ...

A committee sitting in the UK's House of Lords has said that the EU's ruling on the 'right to be forgotten', which requires companies to delete data on request where ...