County council fined £100k after data breach involving social care files

Hampshire County Council has been hit with a £100,000 monetary penalty by the Information Commissioner’s Office after social care files containing personal details of more than 100 people were found in a disused building.

The files, along with 45 bags of confidential waste, were discovered by the new owners of Town End House in Havant when they bought the building in August 2014. The building had been vacated in July 2012 by Hampshire’s Adults and Children’s Services.

According to the ICO, the documents contained highly sensitive information about adults and children in vulnerable circumstances.

The ICO concluded that the local authority had failed to take appropriate organisational measures against unauthorised processing of personal data in contravention of the seventh data protection principle.

The watchdog’s monetary penalty notice, which can be viewed here, said that:

  • Between July 2012 and August 2014, a number of individuals had independent access to Town End House including the agent who was responsible for selling the building and prospective buyers.
  • In the absence of a specific written procedure, it was not clear who was ultimately responsible for ensuring that Town End House was vacant in July 2012.
  • This was exacerbated by a breakdown in communication between the different departments involved in the long process of decommissioning Town End House.

Steve Eckersley, ICO head of enforcement, said: “Hampshire County Council failed to ensure that highly sensitive personal data about adults and children in vulnerable circumstances was disposed of.

“The council knew the building had housed a department that dealt with confidential information and should have had a proper procedure in place to check no personal data was left in the building. Organisations must implement effective contingency plans to protect personal data when decommissioning buildings.”

Eckersley added: “The council’s failure to look after this information was irresponsible. It not only broke the law but put vulnerable people at risk.

“Thank goodness the company reported the find of personal details. If the information had ended up in the wrong hands it could have had distressing consequences.”

A spokesperson for Hampshire said: "We are very sorry that this incident occurred. Hampshire County Council takes the management and protection of its data very seriously. Accordingly, appropriate procedures were in place at the time, but unfortunately, on this occasion, the process was not fully adhered to. However, at no time was any information disclosed outside of the site.

"Immediate steps were taken to investigate the matter fully, and remedial action was taken. This has included strengthened and improved processes in the removal of, and destruction of, confidential waste from vacated buildings.

"We reported the incident to the ICO as soon as we became aware of it, which was at the point the company referred the incident to the county council - and have cooperated fully at all stages of the ICO's investigation. We are currently considering the ICO's decision."