Winchester Vacancies

ICO slaps down three councils over "poor regard" for safety of children's data

The Information Commissioner’s Office has taken three councils to task for lax security and a failure to provide appropriate staff training on data protection, saying that the details of more than 9,000 children were put at risk in one incident alone.

The three councils, which have all signed formal undertakings to ensure staff are made fully aware of their policies for the storage and use of personal data, were:

  • The London Borough of Barnet: a theft from the home of an employee was reported by the council. An unencrypted, non-password protected USB stick and CDs containing information on more than 9,000 children and their families were taken. “An employee had downloaded the data onto the unencrypted devices without any authorisation to do so, although it was later revealed that there was no training provided or security in place to prevent such downloads,” the watchdog said. An earlier audit by the ICO had highlighted the lack of training.
  • West Sussex County Council: a laptop, containing sensitive personal data relating to an unknown number of children and families involved in care proceedings, was stolen from the home of an employee. The laptop was also unencrypted and the staff member had received no formal training, the ICO said. It added that more than 2,300 unencrypted laptops were likely to still be in use across the local authority.
  • Buckinghamshire County Council: the local authority reported the loss at Heathrow Airport of documents containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee travelling to another city in the UK in connection with their social care case. “After further analysis, it was apparent that no real thought had been given to the security of this personal data during travel,” said the ICO, which called on the council to revise its policies and improve its “insufficient” staff training.

Barnet and West Sussex, in addition to giving the undertakings, have agreed to ensure proper training is given to staff on data protection and IT security, and ensure portable and mobile devices are encrypted. The ICO is also to conduct a further audit at Barnet in the next year.

Sally-anne Poole, enforcement group manager at the ICO, said the councils had shown “a poor regard” for the importance of protecting children’s personal information.

She added: “It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”

The ICO has meanwhile published Personal Information online code of practice, the first guidance document of its kind.