ICO berates local government after fining councils £250k+ for data breaches

There is an "underlying problem with data protection" in local government, the Information Commissioner has claimed after fining three councils more than £250,000 for data breaches.

The latest monetary penalties – levied on Leeds City Council (£95,000), Devon County Council (£90,000) and the London Borough of Lewisham (£70,000) – bring the total amount of fines imposed by the ICO on local authorities to some £1,885,000 since it was handed extended powers.

The Leeds and Devon cases both involved details of child care cases being sent to the wrong recipients. They followed a similar case last month where Plymouth City Council was fined £60,000.

The Lewisham incident meanwhile saw a social worker leave sensitive case papers on a train after taking them home to work on as part of preparations for a child protection court hearing.

Information Commissioner Christopher Graham said: “We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.”

Graham added: “There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems.”

The ICO has called on the Ministry of Justice to grant it stronger powers to audit local councils’ data protection compliance, “if necessary without consent”.