This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Largest ICO fine issued to Powys County Council for two breaches of sensitive data

Share this article:

The Information Commissioner's Office (ICO) has issued its largest monetary penalty to date with Powys County Council ordered to pay £130,000 after child protection case details were sent out incorrectly in two instances.

It is in connection with two breach incidents. The first was reported to the ICO in June 2010 when a social worker sent information relating to a vulnerable child to the same recipient, with the child known to the recipient. The ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures and warned that it would face further action should a similar incident occur again.

The second breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. The ICO said it understood that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked by the sender.

The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient's mother via her MP.

Anne Jones, assistant commissioner for Wales, said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It's the most serious case yet and it has attracted a record fine.

“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”

The ICO has also issued a legal notice ordering the council to take action to improve its data handling and warned that failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems,” said Jones.

Jonathan Armstrong, lawyer at Duane Morris LLP, said: “Local authorities have to approach data protection differently, people will print information to a shared printer and in some instances these reports will be up to 60 pages long and there is a tendency to collect it later.

“We are seeing the ICO bring more cases for manual data security and I think the ICO is right; you have got to have a holistic approach to information management. This may not be the end of the story at the monetary notice says that there may be a civil case brought by the victim.”

Armstrong also said that the council had effectively wasted taxpayers' money through staff not observing the Data Protection Act.

Tony Pepper, CEO of Egress Software Technologies, said the cases have set a clear precedent.

He said: “This record fine places social services in every local authority firmly in the spotlight, and we believe these fines are only the beginning. This concerning trend reinforces that it's more important than ever to change the way we share confidential data. 'Protection that follows the data' and multi-factor authentication all play their part in ensuring that only authorised recipients access confidential information.”

The ICO's enforcement notice places a legal requirement on the council to make further improvements to its data protection practices and requires that all staff must be trained on how to follow the council's guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.