The Moray Council has signed an undertaking to improve data protection following an incident in July 2013 when a bundle of papers with personal and sensitive personal data was left in a local café.
The papers related to a Moray Permanence Panel hearing and contained detailed reports regarding the adoption of two children, as well as shorter reports relating to 19 further children. Some of the data concerned their physical or mental health.
The ICO’s investigation into the matter uncovered that although the employee had signed a confidentiality agreement that had an explicit clause about keeping panel papers secure in lock fast facilities, the Council had not implemented supporting policies or procedures that addressed security of the papers outside of the office.
According to the undertaking:
In addition to this, the training the Council provided in relation to data protection did not cover security of personal data in any detail, and was not mandatory in any event. The employee involved had not received this training, or any other training related to the security of personal data.
You can read the corrective action plan in the undertaking, here (pdf).
(Cross-posted from DataBreaches.net)