Stoke-on-Trent City Council has been fined £120,000 by regulators after unencrypted sensitive child protection data was emailed to the wrong person.
The Information Commissioner's Office (ICO) fined the council after one of its solicitors sent 11 emails about a child protection legal case, in error, to an unknown recipient.
"If this data had been encrypted then the information would have stayed secure," ICO head of enforcement Stephen Eckersley said in a statement on Thursday. "Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure."
The breach occurred on 14 December 2011 when a council solicitor sent the emails, some of which contained data about a child's non-accidental injuries, plus medical information about two adults and two children.
The solicitor had been given a new computer by the council's IT department which did not have stored contact details, according to an ICO monetary penalty notice.
In trying to send the documents to counsel, the solicitor made two typographic errors when copying the counsel's work email address from a paper file, erroneously sending the emails to a live address.
The security breach did not affect the legal proceedings, but the judge presiding over the case was informed of the data disclosure.
The solicitor should have used the government secure intranet (GCSx) or encrypted the emails, said the ICO. She was not disciplined because the council was aware its legal department did not have access to encryption software, and staff had to send emails outside the GCSx network. In addition, employees had not been trained on information policy.
Stoke-on-Trent City Council was fined for breaching the Data Protection Act. The ICO took into account a previous undertaking signed by the council after sensitive childcare data was lost on an unencrypted memory stick in 2010.
The ICO said organisations should encrypt sensitive data at rest and in transit.