The Scottish Children's Reporter Administration (SCRA) breached the Data Protection Act twice, according to the Information Commissioner's Office (ICO).
In two separate incidents, the SCRA failed to keep sensitive information about the welfare of young people secure when files were sent to the wrong person or were not correctly destroyed.
According to the ICO, the first incident occurred in September last year when nine case files were mistakenly left in a filing cabinet which was removed as part of an office refurbishment.
The cabinet was supposed to be destroyed, but was instead sold on to a second-hand furniture shop with the files - containing names, dates of birth, social reports and referral decisions relating to children - still inside. The person who bought the cabinet discovered the files and they were returned to the organisation.
Then four months later in January 2011, a second breach occurred when legal papers containing sensitive information about a child's court hearing were sent to the wrong email address. The documents included details relating to physical abuse and included the identities of the child's mother and witnesses.
Ken Macdonald, assistant information commissioner for Scotland said: “The fact that sensitive information was mishandled not once, but twice by the same organisation is concerning. On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided. Luckily on both occasions, the information was not circulated widely.”
Nigel Hawthorn, EMEA VP of marketing EMEA at Blue Coat, said: “Despite there being two different incidents of loss of data about young children, the sanction was to just get the chief executive to sign an undertaking and the ICO are once again failing to use the teeth they have been given to issue a fine of up to £500,000.
“Although the occurrences differed, with one being a paper loss and the other in an electronic form, this breach clearly emphasises the importance of having a solid data loss process in place.”