ICO raps two councils after data breaches involving social services records

Two local authorities have given undertakings to the Information Commissioner’s Office after breaches of the Data Protection Act in relation to social services records.

In the first case Wokingham Borough Council lost records relating to the care of a young child. In the second, Wirral Borough Council twice sent social services records to wrong addresses.

The Wokingham case followed a subject access request made by a family member. The borough council’s response included details of the requester and their child’s involvement with the council’s social services department, including allegations of neglect and abuse carried out by the requester’s ex-partner.

The documents also included a report prepared for the courts in relation to these issues and the child’s welfare.

However, the information was lost when a delivery driver employed by the council left the documents on the doorstep of the requester’s home in August 2013.

The ICO investigation found that the driver had not been told about the sensitivity of the information and had not been informed that the delivery required a signature, or returning to the council if no one was available to sign for the package. Wokingham had also failed to arrange a suitable delivery time with the requester.

The ICO report said that there had been “a series of errors and failures in communication among the [council’s] employees in various departments”.

Previous recommendations – including for mandatory training which would be regularly refreshed for all employees whose roles involved access to personal data – had not been properly implemented, the watchdog added.

In its undertaking the council has agreed to ensure that future deliveries containing sensitive personal information are carried out securely. It will also provide regular training for staff on its updated processes.

ICO Head of Enforcement, Stephen Eckersley, said: “No one expects to have sensitive information about the care of their child left on the doorstep for anyone to stumble across. However, a series of errors by the council has led to a situation where a social service record containing damaging allegations of abuse suffered by the child, has been delivered with no consideration given to its content.”

In the Wirral case, the social services records included sensitive personal details relating to two families living in the borough. In one instance, they included details of a criminal offence committed by one of the family members.

The ICO’s investigation discovered that Wirral had no mandatory data protection training in place for staff and did not have adequate checks in place to make sure records were being sent to the correct address.

Three other disclosure incidents involving the council had also been reported to the ICO previously.

The ICO’s Eckersley said: “While human error was a factor in each of these cases, the council should have done more to keep the information secure. Social workers routinely handle sensitive information and Wirral Borough Council failed to ensure their staff received adequate training on how to keep people’s information secure.  

“We are pleased that the council has now made its data protection training mandatory for all staff following these incidents and has agreed to take further action to address the underlying problems that led to these mistakes. This includes ensuring that all staff complete the data protection training by the end of June and adequate checks are in place to make sure sensitive records are being sent to the right address.”