Leicestershire County Council have breached the Data Protection Act (DPA), following the theft of a briefcase containing sensitive personal data from a social worker’s home, the Information Commissioner’s Office (ICO) said today.
The ICO was informed by the Council in May 2011 that a briefcase, containing documents to be used for initiating court proceedings, had been stolen from a social worker’s house during a burglary. These contained the sensitive personal data of 18 individuals which outlined details of neglect and requested the removal of the children from their parents’ care.
The social worker had asked for permission to take the reports home in order to continue work on them, and this was authorised by the relevant manager, in accordance with the Council’s procedures.
At the time of the incident, the employee’s manager had received the relevant training, but the social worker had not. The authority had a policy in place but this didn’t relate to the handling of paper documents while working from home.
Stephen Eckersley, the ICO’s Head of Enforcement said:
“Local authorities must recognise that social workers are handling some of the most sensitive information available. The fact that this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.
“While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.
“We are pleased that the Council have now committed to taking action to protect the personal information they handle and will extend its training programme to cover all staff who are regularly required to take this information outside of the office.”
Leicestershire County Council have committed to amending their existing policies to include detailed guidance relating to the security of paper documents while working from home, training staff on these amended policies, putting appropriate monitoring in place to ensure compliance, and implementing other security measures to ensure personal data is protected.