Council to implement mandatory training after two data breaches in four months

The Isle of Scilly Council has given an undertaking to the Information Commissioner’s Office that it will implement mandatory data protection training after two data breaches within a four-month period last year.

The first incident took place in June 2013, when an attachment was included in error within an email. The attachment contained information relating to a disciplinary hearing, and included unredacted personal data relating to third parties.

The recipients of the email were the employee who was subject to the disciplinary hearing and their union representative.

The ICO said its investigation determined that “whilst the individual who sent the email was aware of the information governance implications of sending such data via this medium, in general there was no formal data protection training in place at the authority”.

The second incident came to light in September 2013 and involved the disclosure of two documents containing sensitive personal data.

“The documents were disclosed to authorised parties initially but the security controls around their sharing was weak which resulted in the documents ending up in public circulation,” the ICO revealed.

The information disclosed related to the conduct and an investigation of a former head teacher and included an audit report and a transcript of an interview. There was evidence that the documents were emailed to personal accounts and distributed from a council meeting.

According to the undertaking, which can be viewed here, a number of persons and organisations were privy to the information and the Isle of Scilly considered that they had a legitimate business need to receive the information.

“However, weaknesses surrounding the distribution of the documents, which prevented the effective control of the information contained within them, were identified during the Commissioner’s investigation. For instance, paper documents were shared without using appropriate redaction techniques.”

In addition to agreeing to implement mandatory training on the requirements of the Data Protection Act and the council’s policies on the use of personal data, the Isle of Scilly has undertaken to:

  • Provide a refresher programme so that data protection training is updated regularly;
  • Draft appropriate guidance on the safe transfer of personal data by email and consider the use of encryption where appropriate; and
  • Draft and implement a redaction policy; and
  • Monitor regularly compliance with the council’s policies on data protection and IT security.

ICO Head of Enforcement, Stephen Eckersley, said:
“Personal data must be handled securely and safely. The council has failed to do so and must now make immediate changes.


“The people of the Isles of Scilly need to be confident their council understands and complies with the law. Our undertaking will help ensure they do so.”