Scottish public body escapes fine after twice losing sensitive papers on young people

A public body in Scotland has escaped a monetary penalty despite failing to keep sensitive information about young people – including legal papers – secure.

The Scottish Children’s Reporter Administration (SCRA), a national body focused on children most at risk, was investigated by the Information Commissioner’s Office for two separate incidents.

The first took place in September 2010 when a filing cabinet was removed as part of an office refurbishment. The SCRA had intended for the cabinet to be destroyed but it was sold instead to a second-hand furniture shop.

According to the ICO, the cabinet still held files containing names, dates of birth, social reports and referral decisions relating to children. The purchaser discovered the files and returned them to the SCRA.

The second incident occurred in January 2011. This time the SCRA sent legal papers containing sensitive information about a child’s court hearing to the wrong email address. This information included details relating to physical abuse and included the identities of the child’s mother and witnesses.

The ICO said both breaches were “the result of the SCRA’s failure to make sure that the organisation’s existing data protection and IT security guidance were being correctly followed by their staff”.

Ken Macdonald, Assistant Commissioner for Scotland, said: “The fact that sensitive information was mishandled not once but twice by the same organisation is concerning. On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided. Luckily, on both occasions, the information was not circulated widely.”

Macdonald said he was pleased that the SCRA had taken action to make sure that the personal information it handled was kept secure. He urged other organisations, particularly those handling sensitive information relating to young people, to follow suit.

The ICO is also working with the SCRA to raise awareness of its data protection obligations amongst staff through a series of workshops.

The SCRA’s chief executive, Neil Hunter, has signed an undertaking in relation to staff awareness of its policies around storage and use of personal data. The organisation will also put in place checks to ensure staff are following those policies. In addition, steps will be taken during office moves to ensure the first incident is not repeated.

In November 2010 Hertfordshire County Council was hit with a £100,000 penalty by the ICO after two incidents where employees in its childcare litigation unit accidentally sent faxes containing highly sensitive personal information to the wrong recipients.

It was the first time the ICO had levied monetary penalties for serious breaches of the Data Protection Act.

A spokesman for the watchdog said the SCRA case had not met the legal threshold for a monetary penalty set out in the statutory guidance.

He said: "On this occasion the breach did not meet these criteria. Principally the organisation already had policies and procedures in place to safeguard against the two incidents occurring. The information was also less sensitive than the information released in the Hertfordshire data breach which involved highly sensitive information being lost in two similar incidents, i.e. misdirected faxes, over a short period of time."

The ICO spokesman also said that the information compromised in the SCRA breach "was not widely circulated as was the case for the previous data security breach at Hertfordshire".

Philip Hoult