The Information Commissioner's Office (ICO) has issued a monetary fine of £90,000 to Telford and Wrekin Council after two incidents of sending sensitive information to the wrong recipient.
According to the ICO, the first incident occurred on 31 March 2011, when a member of staff working in Safeguarding Services sent the Social Care Core Assessment of one child to the child's sibling instead of their mother, who lived at the same address.
This assessment included sensitive details of the child's behaviour as well as the name, address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.
The second breach occurred on 27 May 2011, and involved the inclusion of the names and addresses of the foster care placements of two young children in a Placement Information Record (PIR). This PIR was printed out and shown to the children's mother, who noticed the foster carers' address. The council then decided to move the children to alternative foster-care placements to minimise the effect on the data subjects concerned.
An investigation found that the default setting on the Protocol system was to include the foster carer's details in the PIR, and there was no process in place to check the PIR after it was printed.
An investigation carried out by the council following the first breach found that the relationship records set up on the children's information system were not populated with adequate information. This system was set up so that the details of individuals were printed automatically on the assessment, although a user could tick a box to ensure that the details weren't printed. There was also no process in place to check the documents before they were posted out.
David Smith, the ICO's deputy commissioner and director of data protection, said: “The decision by the ICO to issue a penalty in this case reflects its seriousness. These were two very similar data breaches which occurred within a short space of time, and both involved highly confidential and sensitive personal data.
“Most importantly, some of the people affected were vulnerable children, two of whom had to be moved to a new foster home as a result of the second data breach. It is the responsibility of all organisations – especially where children or other vulnerable people are involved – to keep sensitive personal data secure.”