Cross-posting this from DataBreaches.net…
The BBC reports:
Allegations that Pembrokeshire council wrongly disclosed sensitive reports about 10 child sex abuse victims to another victim are being investigated.
It is claimed the person wanted information about himself, but received private details about others.
Read more on BBC.
The story was initially reported earlier today in Western Mail, which provides more detail:
The Information Commissioner’s Office will seek to establish why Pembrokeshire County Council gave around 400 pages of psychiatric reports about other victims to “Steven” after he sought disclosure of material relating solely to himself.
Steven – not his real name – was himself a victim in one of the most horrific cases of child sex abuse seen in Wales.
[…]
Steven claims that when he informed Pembrokeshire council officials about the inappropriate – and potentially illegal – disclosure to him of material relating to other victims, he was asked to return it quietly and added: “I was told that if I made a fuss the council would be fined, reducing the amount of money available for child protection today.”
Not only did the council allegedly lean on “Steven” not to go public with the breach, but he alleges they tried some of the same heavy-handed techniques I’ve criticized recently in other cases:
“One council officer told me I would be entitled to a small compensation payment for the distress I suffered as a result of the reports being wrongly disclosed to me.
“But I was also told that if I didn’t hand the material back, the council would apply for a court order forcing me to give back not just the wrongly disclosed material, but everything else.
The “everything else” apparently refers to all the material he had requested – and was legally entitled to – under the Data Protection Act.
A spokesperson denied that “Steven” had been threatened with any court action, but he insists that he was.
Wisely, he turned the papers over to the ICO’s office.
Read more on WalesOnline.
The Pembrokeshire County Council reportedly has had a number of concerns raised about its child protection – and now data protection. I would not be surprised if the ICO issued a monetary penalty over this breach, if confirmed, as it involved clearly sensitive information.