ICO issues first fine against a charity for data breach

A social care charity has become the first third sector organisation to be fined by the Information Commissioner’s Office, after “highly sensitive” information about the care of four young children was left outside a London home.

The ICO said the incident had been “entirely avoidable”, adding that the fine should act as a warning to all charities to fulfill their obligations under the Data Protection Act.

A social worker employed by Norwood Ravenswood, which was acting in this case as an adoption agency and now faces a £70,000 monetary penalty, had left the reports at the side of the house one evening in December 2011. The package would not fit the letter box.

Neither of the intended recipients, the children’s prospective adoptive parents, were in at the time. The reports were no longer there when they returned 30 minutes later, and the information has never been recovered.

The papers included details of any neglect and abuse suffered by the children, as well as information on their birth families. They also contained a chronology of the relevant local authority’s interactions with those families.

An ICO investigation found that the social worker in question had not received data protection training, which was a breach of the charity’s own policy. She had also not been given guidance on how to send data securely to prospective adopters.

The charity took disciplinary action against the social worker. It has also undertaken remedial action including updating its data protection policy, developing specific guidance, providing appropriate staff training and anonymising sensitive personal data sent to prospective adopters.

The monetary penalty notice suggested that the charity had “substantial reserves to pay a monetary penalty up to the maximum without a significant impact on day to day services”.

Stephen Eckersley, Head of Enforcement at the ICO, said: “We have warned the charity sector that they must have thorough policies and procedures in place to keep the often sensitive information they handle secure. We do not want to be issuing monetary penalties to charities, but in this case the seriousness of the breach left us with little choice. 

“The children involved in this case were no more than six years old and now they are in a situation where their most sensitive details could be in the hands of a complete stranger. The fact that the social worker had received no training while working at the charity, on how to look after what is extremely sensitive information, is truly staggering. This breach was entirely avoidable.”

A spokeswoman for the charity said: "Norwood found itself, within its adoption service, to be in an isolated breach of the Data Protection Act and reported itself to the Information Commissioner's Office when it was discovered.

"Norwood took immediate steps to tighten its procedures in line with the Act to ensure that an incident of this kind will not be repeated."