From the Information Commissioner’s Office:
The Information Commissioner’s Office (ICO) has today served a monetary penalty of £130,000 to Powys County Council for a serious breach of the Data Protection Act where the details of a child protection case were sent to the wrong recipient. The penalty is the highest that the ICO has served since it received the power in April 2010 and follows a less serious, but similar incident, which was reported by the council to the ICO in June last year.
The latest breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.
The breach followed a similar incident – which was reported to the ICO in June 2010 – when a social worker sent information relating to a vulnerable child to the same recipient. The child named in the report was again known to the recipient. After making enquiries, the ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures. The ICO also warned the council that further action would be taken if a similar incident occurred again.
Assistant Commissioner for Wales, Anne Jones said:
“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.
“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”
The enforcement notice that the ICO has served places a legal requirement on the authority to make further improvements to its data protection practices. The notice requires that all staff must be trained on how to follow the council’s guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.
The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK following a series of data protection breaches.