GLD Vacancies

ICO fines council £90,000 after records failings lead to data breaches

Telford and Wrekin Council has become the tenth local authority in the last 12 months to be fined by the Information Commissioner’s Office for data breaches.

The local authority has been ordered by the watchdog to pay £90,000 after two similar data breaches – involving the disclosure of confidential and sensitive personal data about four vulnerable children – occurred within two months.

According to the ICO, the first incident occurred on 31 March 2011, when a member of staff in the Safeguarding Services team sent the Social Care Core Assessment of one child to the child’s sibling instead of their mother, who lived at the same address.

The assessment included:

  • sensitive details of the child’s behaviour;
  • the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.

The second incident involved the inclusion of the names and addresses of the foster care placements of two young children in their Placement Information Record (PIR).

The record was printed out and shown to the children’s mother, who noticed the foster carers’ address.

Telford & Wrekin then decided to move the children to alternative foster care placements.

The local authority launched an investigation after the first incident which concluded that the relationship records set up on the children’s information system, Protocol, for the children involved in the first incident, were not populated with adequate information.

The Protocol system had been set up so that the details of individuals were printed automatically on the assessment, although a user could tick a box to ensure that the details weren’t printed. The investigation also found that there was also no process in place to check the documents before they were posted out.

Telford & Wrekin’s conducted another investigation, following the second breach, which found that the default setting on the Protocol system was to include the foster carer’s details in the PIR, and there was no process in place to check the PIR after it was printed.

The local authority has now agreed to a range of actions, including:

  • providing Safeguarding Services staff with further training and support on data protection and information security as well as on using the Protocol system
  • introducing formal guidance on checking documents printed off the Protocol system, and making changes to its configuration.

David Smith, Deputy Commissioner and Director of Data Protection at the ICO, said: “The decision by the ICO to issue a penalty in this case reflects its seriousness – these were two very similar data breaches which occurred within a short space of time, and both involved highly confidential and sensitive personal data.

“Most importantly, some of the people affected were vulnerable children, two of whom had to be moved to a new foster home as a result of the second data breach. It is the responsibility of all organisations – especially where children or other vulnerable people are involved – to keep sensitive personal data secure.”

A spokesman for Telford & Wrekin said: “The council is an open and transparent organisation which is why we immediately reported these breaches which were limited in effect and were down to human error where people did not follow the council’s agreed procedures that had been widely communicated to staff. The council is determined to work hard to minimise any data breaches but, where they do occur, will continue to be open with the Information Commissioner and local residents. That said, we do not underestimate the impact that this breach had on the people involved and have apologised to those whose data was accidentally disclosed.

“While we accept that the breaches occurred, we do not agree with the rationale behind the financial penalty that has been imposed and would point to other councils which do not collect such information and, therefore, avoid any punishment for breaches such as these. We believe the fine imposed goes against the ICO’s own guidance which states an organisation should not be fined when it has taken reasonable steps to prevent a breach - which we believe we have. We have had a strong focus on improving good information governance for some time and we are continuing with a comprehensive internal training programme on information and data security, as well as addressing high risk areas as a priority."

However, the spokesman added that the local authority would not be appealing the fine. Instead it plans to pay the penalty promptly, , which means it will only have to pay a reduced sum of £72,000.

Councils to have been fined by the ICO in the last 12 months include the London Borough of Barnet, Cheshire East Council, Croydon Council and Norfolk County Council.

Last week the watchdog issued a record fine of £325,000 on Brighton and Sussex University Hospitals NHS Trust after 232 hard drives containing patient data were sold on an Internet auction site.

However, the trust vowed to appeal the fine, saying it could not afford to pay it. 

In April, the Central London Community Healthcare NHS Trust also said it would be instructing its lawyers to challenge a £90,000 fine levied after it sent patient lists from a palliative care unit to a wrong recipient on a number of occasions. 

Philip Hoult