DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: ICO finds three councils in breach of Data Protection Act

Posted on July 8, 2010 by Dissent

The Information Commissioner’s Office (ICO) has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act. A systemic lack of staff training on how to handle personal information has led to the loss of sensitive personal information relating to thousands of children.

Sally-anne Poole, Enforcement Group Manager at the ICO, said: “These three councils have shown a poor regard for the importance of protecting children’s personal information. It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”

A theft from the home of an employee of the London Borough of Barnet was reported by the council. An unencrypted, non-password protected USB stick and CDs containing the sensitive personal information of over 9,000 children and members of their families were taken. An employee had downloaded the data onto the unencrypted devices without any authorisation to do so, although it was later revealed that there was no training provided or security in place to prevent such downloads. The ICO had conducted an audit of the London Borough of Barnet prior to this incident that had also highlighted this lack of staff training.

West Sussex County Council had a laptop stolen, also from the home of an employee, which contained sensitive personal data relating to an unknown number of children and families involved in childcare proceedings. The laptop was unencrypted and enquiries by the ICO revealed that the employee had not received any formal data protection/IT security training. It was also discovered that over 2,300 unencrypted laptops were likely to be still in use across the council’s various services, although steps are now being taken to encrypt these.

Buckinghamshire County Council provided a report regarding the loss, at Heathrow Airport, of documents containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee who was travelling to another UK city in connection with the children’s social care case. After further analysis by the ICO, it was apparent that no real thought had been given to the security of this personal data during travel. It was also revealed that some of the council’s policies needed revision and that staff training in data protection was insufficient.

The ICO has found all three councils in breach of the DPA. The London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council have signed formal Undertakings to ensure staff will be made fully aware of the policies of their council for the storage and use of personal data. The London Borough of Barnet and West Sussex County Council will also provide appropriate training on data protection and IT security and ensure portable and mobile devices used to store and transmit personal data are encrypted. A further audit by the ICO will be carried out on the London Borough of Barnet within the current financial year to monitor the previous recommendations made to it.

Sally-anne Poole added: “I am particularly concerned where a public authority has previously been warned about the lack of staff training in data security. Breaches involving such large numbers of children and family members could easily have been avoided. I am pleased that all of the councils have now taken or proposed action to prevent against further data breaches.”

A full copy of each Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx

A copy of the ICO’s latest data breach table is available here:
http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/breach_notification_spreadsheet_may2010.pdf

Please see below for our Guide to Data Protection:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/the_guide_to_data_protection.pdf

Source: Information Commissioner’s Office

Related posts:

  • Data breaches put domestic abuse victims’ lives at risk, UK Information Commissioner warns
  • UK council fined £70,000 following theft of highly sensitive data from employee’s home (updated with response from Council)
  • UK: ICO levies two monetary fines to councils for e-mail gaffes that exposed sensitive information
  • UK: Five councils, a youth charity, and a healthcare provider sign undertakings following data breaches
Category: Breach IncidentsGovernment SectorLost or MissingNon-U.S.PaperTheft

Post navigation

← IE: Breach notification guidance and code available online
(follow-up) Private info accidentally released →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Qantas customers involved in mammoth data breach
  • CMS Sending Letters to 103,000 Medicare beneficiaries whose info was involved in a Medicare.gov breach.
  • Esse Health provides update about April cyberattack and notifies 263,601 people
  • Terrible tales of opsec oversights: How cybercrooks get themselves caught
  • International Criminal Court hit with cyber attack during NATO summit
  • Pembroke Regional Hospital reported canceling appointments due to service delays from “an incident”
  • Iran-linked hackers threaten to release emails allegedly stolen from Trump associates
  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.