ICO slaps record fine on Welsh council for data breaches
The Information Commissioner’s Office has handed a Welsh council its highest monetary penalty to date for breaching the Data Protection Act.
Powys County Council will have to pay £130,000 after what the ICO described as a serious breach that involved the details of a child protection case being sent to the wrong recipient.
The previous highest monetary penalty (£120,000) was levied on Surrey County Council in June. Last week the ICO ordered two local authorities – Worcestershire County Council and North Somerset County Council – to pay a combined £140,000 after they sent emails containing sensitive information to unintended recipients.
The ICO has also issued Powys with an enforcement notice ordering it to take action to improve its data handling. This requires the authority to train all its staff by 31 March 2012 on how to follow its guidance on the handling of personal data. Refresher training will also have to be held every three years.
Failure to comply with the notice would result in legal action being taken through the courts, it warned.
The most recent breach at the Welsh council occurred in February 2011. According to the ICO, two separate reports about child protection cases were sent to the same shared printer.
“It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked,” the watchdog said.
“The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers.”
The recipient made a complaint to the council. A further complaint was also sent by the recipient’s mother via her MP.
Powys had already reported a less serious but similar incident to the ICO in June 2010. On that occasion, a social worker sent information relating to a vulnerable child to the same recipient. Again the child was known to the recipient.
The ICO had told Powys to tighten up its security measures and to bring in mandatory training. It warned the council at the time of further action if another incident of a similar nature took place.
Anne Jones, Assistant Commissioner for Wales, said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine.
“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”
Jones suggested that there was “clearly an underlying problem with data protection in social services departments”. The ICO is to meet with stakeholders in local government to discuss how the watchdog can support them in addressing the problems.
The Information Commissioner's Office recently called on the government to hand it powers to conduct compulsory audits in local government.
Commenting on the monetary penalty, Cllr Michael Jones, Leader of Powys County Council, said; “The council fully accepts the finding of the Information Commissioner and has apologised for its failure to meet data protection legislation. This was a regrettable case of human error and we have apologised to all parties for the distress the disclosure may have caused.
“The council expects staff, particularly those working in sensitive areas, to maintain the highest possible professional standards. Disciplinary action has been taken against the member of staff involved in the regrettable breach.”
Cllr Jones added: “Although human error played a big part in the mistake, the council has reviewed procedures and strengthened practices where necessary to ensure the same mistaken is not made again.
“We are also improving staff training to further strengthen the council’s data protection procedures and implementing the recommendations in the commissioner’s final notice.”
Philip Hoult
