Winchester Vacancies

ICO hits council with record fine after series of data breaches in children's services

The Information Commissioner’s Office has handed a local authority in Scotland the highest monetary penalty to date for data protection breaches.

The £140,000 fine came after Midlothian Council disclosed sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The watchdog is still considering what action to take in a relation to three further cases that Midlothian has admitted.

The first incident took place in January 2011 but did not come to light for another two months. The ICO then launched an investigation. However, two further breaches occurred in May and June 2011. [Details of all five breaches are set out below]

The watchdog claimed that all the breaches could have been avoided if Midlothian had put adequate data protection policies, training and checks in place.

The council’s Children & Families Service did not have any role-specific guidance or working procedures that promoted good practice in data handling, despite its staff dealing with confidential and sensitive and personal data on a daily basis.

“Staff were largely unaware of their responsibilities under the [Data Protection] Act, which had significantly contributed to these systemic failings,” the ICO said in its penalty notice.

The penalty on Midlothian is higher than that imposed on Powys County Council after it send details of a child protection case to the wrong recipient.

However, the record could be smashed if the regulator proceeds with a threat to hit Brighton and Sussex University Hospitals with a £375,000 fine. The case involves the discovery that hard drives being decommissioned by the NHS trust were being sold on eBay.

The ICO set out its proposed fine in an initial notice of intent to BSUH. Under the watchdog’s procedures, the NHS trust will have a chance to submit representations both on the penalty notice and the proposed amount.

The Midlothian case is the first time that the ICO has levied a monetary penalty on an organisation in Scotland.

Commenting on the penalty, Ken Macdonald, Assistant Commissioner for Scotland said: “Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

In addition to the penalty, the ICO ordered Midlothian to take action to keep the personal information it handles secure. The local authority has taken remedial action to:

  • Provide all staff working in the Children & Families Service with an “Introduction to information management awareness” training session;
  • Ask all staff working in the Children & Families Service to check its data is accurate before sending it out by post and that the database is updated with new addresses;
  • Peer check envelopes containing confidential and sensitive personal data before it is sent out by post;
  • Ensure any ‘looked after’ or ‘accommodated’ children reports are not sent to GPs unless the address is checked against the NHS register; and
  • Provide the Children & Families Service with experienced staff to assist in developing appropriate policies and procedures in relation to future compliance.

In a statement Midlothian Council said: “All [the breaches] were human error and a number of staff have been disciplined.  All the information was retrieved or destroyed.

“Existing procedures have been further strengthened and an independent expert is to be brought in to ensure the council has done all it can to minimise recurrence.”

Philip Hoult

The five breaches

  1. In March 2011 Midlothian was informed by an individual that he had received confidential personal data relating to a child. The ICO understands that a social worker in the council’s Children & Families Services had been working on several files at the same time and had entered the wrong child’s name on the agreement and sent it to [redacted] in error. The data subject (a child) was not informed because Midlothian took the view that it would cause significant distress.
  2. In May 2011, a social worker in the Children & Families Service inadvertently sent a ‘looked after’ child review and care plan to the child’s mother’s GP requesting a report on the mother’s health. The child was not registered with the GP’s practice and this had not been checked against the data controller’s database. Midlothian again decided not to inform the data subject because it would cause significant distress to those involved in the care process. The ICO noted that the recipient in this incident “was a health professional and used to dealing with confidential and sensitive personal data”.
  3. On 14 May 2011, a child’s ‘looked after care review’ and ‘accommodated review’ were attached to the papers of other children and posted to four unintended recipients by a social worker working in Midlothian’s Children & Families Service. The data subject was not told of the incident for similar reasons to the other cases.
  4. On 1 June 2011, a social worker in Midlothian’s Children & Families Service erroneously sent minutes of a child protection conference by recorded delivery to the former address of the child’s mother’s partner. The mother’s partner’s address had not been updated on the council’s database. The minutes were received by his former partner who had no reason to see them. “The Commissioner understands that the former partner may have further disseminated this information to individuals in the wider local community”.
  5. On 6 June 2011, a social worker in Midlothian’s Children & Families Service inadvertently sent a letter regarding the status of a foster carer to seven individuals who had attended a child case conference. This was caused by one social worker using a shared printer to print out the letter which was then collected in error by another social worker who had printed out the case protection conference papers. The ICO noted that the recipients were all health professionals working at external agencies and used to dealing with confidential and sensitive personal data. Midlothian did not inform the data subject because the impact had not been fully assessed.

Source: The ICO’s monetary penalty notice, dated 24 January 2012.