Council fined £70k after social work paper records stolen from home of employee

The London Borough of Barnet has become the latest local authority to be fined for losing sensitive information.

The Information Commissioner’s Office has levied a £70,000 penalty on the council after it lost paper records containing “highly sensitive and confidential” information.

The records included the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.

According to the ICO penalty notice, on 23 April 2011 one of Barnet’s social work service managers took home the paper records to work on them out of hours.

Some of the information was anonymised, but the watchdog was satisfied that there were a number of documents that identified the data subjects.

The records were kept in the social worker’s laptop bag along with an encrypted computer.

But the social worker’s home was burgled and the laptop bag stolen.

The paper records contained – amongst other things – personal data relating to (i) a complaint about the handling of a child sexual abuse investigation by the police and the council, and (ii) a project on child sexual exploitation run by the service manager.

The laptop and its contents have not been recovered. The data subjects have all been informed about the breach.

The ICO said it understood that social workers and managers were often required to deal with cases outside normal working hours, and so they were permitted to take case papers out of the office when there was a business need to do so.

Barnet also confirmed to the watchdog that there was no alternative to taking the paper records home in this case. The ICO was told that this work could not have been carried out using alternative secure electronic means.

After its investigation, the watchdog acknowledged that Barnet had an information security policy which covered home-working. But the ICO took the view that it did not address the risk identified by this security breach.

“Although there was limited guidance on the data controller’s intranet at the time about its proposed paper handling policy which now requires (among other things) that paper records must be kept secure when off-site and totally separate from valuable items such as laptop comupters, the policy was not in force at the time of the incident,” the ICO said in its monetary penalty notice.

The watchdog also said that, as Barnet had signed an undertaking in relation to data security in June 2010 following an earlier incident in which personal data had been stolen from an employee’s home, the policy could have been implemented sooner.

Barnet has now formally introduced the policy, which the ICO said should minimise the risk of a similar security breach. However, the watchdog said further attention needed to be given to staff training.

Simon Entwisle, the ICO’s Director of Operations, said: “The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss.

“While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops.”

A spokeswoman for Barnet said: “We obviously accept the ICO’s judgement but we are very disappointed that the Commissioner has fined the council in this instance.

“This data loss was the result of a criminal act where a member of staff had their house broken into and material that was under lock and key was stolen. The ICO also accepts that it was appropriate for the member of staff to have this material at home for this period. There is no evidence that the material taken has been misused in any way.” 

Barnet will receive a 20% discount if it pays the fine by 14 June, bringing it down to £56,000. The monies go to the Treasury's Consolidated Fund, not the ICO.

The ICO has levied more than £1m in fines on local authorities since it was handed enhanced powers in April 2010. The largest fine to date has been imposed on Midlothian Council

Philip Hoult