Legal team data breach sees council hit with £120,000 fine by ICO

October 25, 2012

Stoke-on-Trent City Council has been hit with a £120,000 fine by the Information Commissioner’s Office after a solicitor in its legal department by mistake sent a series of emails with unencrypted sensitive data relating to a child protection legal case to the wrong address.

The incident took place on 14 December 2011 when 11 emails of varying sensitivity were sent to the wrong recipient. They contained data on the care of the child, including details of non-accidental injuries, as well as the health of two adults and two other children.

According to the monetary penalty notice, the emails also included the brief to counsel (the intended recipient), suggested directions and miscellaneous comments about the conduct of the case.

The solicitor concerned had just been provided with a new computer by the council’s IT department. This meant her stored email addresses were no longer accessible.

“She therefore copied from the paper file counsel’s internet email address that he used for work, but made two crucial errors which she then repeated when typing the email address,” the ICO said.

The solicitor realised her mistake the following day after the counsel confirmed he had not received any emails from her on 14 December.

Stoke managed to establish with the internet service provider that the email address used was valid, but the recipient failed to respond when asked to delete the emails.

Following its investigation, the ICO concluded that the solicitor was in breach of the council’s own guidance. This confirmed that sensitive data should be sent over a secure network or encrypted. The email should also have been protectively marked.

But the council had failed to provide its legal department with encryption software. It also knew that the department had to send emails to unsecure networks.

Stoke also accepted that the policy on information protection in particular was not widely known to staff and that no relevant training had been provided, the ICO said. The solicitor was not disciplined.

The judge presiding over the child protection proceedings and the clinical staff whose reports were compromised were informed about the security breach.

“Fortunately, the security breach did not have any effect on the court proceedings,” the monetary penalty notice said.

In setting the level of the fine, the ICO pointed out that Stoke had previously given an undertaking in 2010, after data relating to a childcare case was lost after being stored on an unencrypted memory stick.

Stoke has now taken remedial action, including introducing e-learning data protection for staff, ensuring that all emails containing sensitive personal data are password protected and in the longer term implementing a secure portal for emails.

The watchdog said the case emphasised the need for encryption of sensitive data.

Stephen Eckersley, Head of Enforcement at the ICO, said: “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.”

Eckersley said it was “particularly worrying” that the breach in 2010 had highlighted similar concerns around encryption at Stoke, but the issue was not properly resolved.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff,” he said. “This should limit the chances of further personal information being lost.”

In a statement Stoke said it had taken several new extra security steps to reassure residents their personal information was safe. The weaknesses identified by the ICO had been "worked through and more robust procedures are now in place".

Cllr Olwen Hamer, Cabinet Member for Transformation and Resources, said: "The council has gone through a transformation in its approach to IT security as well as [taken] a number of proactive steps... We have also implemented a full and detailed information security training programme which included issuing staff with the do's and don'ts rules. We will be keeping a very watchful eye on our information security to help prevent future data breaches."

The Stoke case echoes the first ever fine issued by the ICO following the grant of new powers in April 2010.

A £100,000 penalty was levied against Hertfordshire County Council in November 2010 after two incidents where employees in its childcare litigation unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients.

Philip Hoult