The Information Commissioner’s Office (ICO) has found The Highland Council to be in breach of the Data Protection Act after personal data relating to several members of one family was inadvertently disclosed to another unrelated individual. The data contained sensitive information including data relating to the physical and mental health of individuals.
The incident occurred after several members of the two different families submitted subject access requests to the council at around the same time. The officer who usually dealt with these requests went on leave before the full responses had been sent and the covering officer was not aware that there was more than one outstanding request from someone in that particular village.
Alistair Dodds, Chief Executive of the Highland Council, has signed an official Undertaking to ensure a similar breach does not occur again. The Highland Council has committed to providing any covering officers with a full brief on any outstanding subject access requests. In addition, a formal log of all subject access requests is to be maintained to ensure these briefings can take place. The log should have sufficient detail to allow individual requests from those with the same surname to be clearly identified.
Ken Macdonald Assistant Commissioner for the ICO in Scotland, said: “It is important that those handling individuals’ data are fully informed and aware of how to protect personal sensitive information. Protecting personal data must be a corporate priority for organizations and it is essential that staff communicate with each other effectively.”
A full copy of the Undertaking can be viewed here:
http://www.ico.gov.uk/what_we_cover/data_protection/enforcement.aspx
The ICO’s Data Protection Guide can be viewed here:
http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx
Source: Information Commissioner’s Office
Can you imagine if every mistaken mailing incident like this led to a government investigation here?