The Information Commissioner's Office (ICO) has confirmed that Somerset County Council breached the Data Protection Act by sending a social service assessment about a local teenager to the wrong family.
The council reported the breach to the ICO in February 2011, shortly after the incident took place. A further ICO investigation found that the assessment, which had been prepared by the council's social services department, contained sensitive personal information relating to a teenager's behavioural history and medical background.
The report was mistakenly sent out to the wrong family by a council employee who was handling two similar cases at the same time.
The ICO also found that there were failings in the way the incident was handled by the council, as the recipient of the information was first told to throw it away before being advised that it would be collected by a council employee.
Sally-Anne Poole, acting head of enforcement at the ICO, said: “The information collected by social services departments is often extremely sensitive. Local authorities should make sure they have adequate measures in place to keep this information secure, especially where there is the potential for human error.
“Even though the information was returned to the council, the damage had already been done and will have caused considerable embarrassment to those affected. I am pleased that Somerset County Council has taken action to ensure that any future documents containing personal data are checked prior to release and that staff will receive appropriate training on their legal obligations to keep personal information secure.”
Sheila Wheeler, chief executive of Somerset County Council, has now signed an undertaking to ensure that staff will be made aware of the council's policies and procedures for the storage, use and disclosure of personal data and receive appropriate training on how to follow them. The council will also introduce quality control checks to be made before the release of any documents containing personal data.