The Information Commissioner's Office (ICO) has issued its sixth monetary penalty to Surrey County Council for a ‘serious breach of the Data Protection Act'.
The council has been fined a monetary penalty of £120,000 after three incidents of misdirected emails.
The first incident, and what the ICO deemed to be the most significant of the three, took place on 17th May last year. A member of staff working for one of the council's adult social care teams emailed a file containing sensitive personal information relating to 241 individuals' physical and mental health to the wrong group email address.
The group email address included a large number of transportation companies, including taxi firms and coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.
A second misdirected email sent on 22nd June led to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.
Finally, in a third incident, the council's children services department sent confidential sensitive information, which included data relating to an individual's health, to the wrong internal group email address on 21st January. While the data did not leave the council's network, this breach led to sensitive data being circulated to individuals who should not have received it.
The ICO said that the penalty of £120,000 recognises the council's failure to ensure that it had appropriate security measures in place to handle sensitive information.
Information commissioner Christopher Graham said: “This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.
“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
The fine marks the sixth fine the ICO has issued since its powers were increased in April 2010. The first and second were to A4E and Hertfordshire County Council in November last year, the third and fourth to Ealing and Hounslow Councils in February this year, while former ACS:Law owner Andrew Crossley was fined last month.
The council has now taken action to improve its policies on information security to include the development of an early warning system that alerts staff when sensitive information is being sent to an external email address. The council has also improved the training it provides to its staff and will ensure that any group email addresses are clearly identifiable.
A Surrey County Council spokesman told getsurrey.co.uk: “These incidents should never have occurred and we have apologised to the people involved. Immediate action has been taken to prevent this happening again.
“We accept the commissioner's findings but feel the money we were fined by another public sector organisation would have been better spent making further improvements in Surrey.”
Ed Rowley, senior product manager at M86 Security, said: “Human error will always be a factor where email communication to multiple recipients is involved. However, there are plenty of tools available that restrict email content to the correct external and internal recipients and minimise that risk.
“There really is no reason for privacy to be breached in this way and the fact that this same mistake occurred on three separate occasions shows that either staff have not been educated on email security, or that the duty of care to personal information has not been taken to heart by the council's management.”