Winchester Vacancies

ICO fines reach £1m in a year as two more councils breach data protection laws

Two more local authorities have been hit by the Information Commissioner’s Office with substantial monetary penalties for breaching data protection rules.

The latest councils to have breached the Data Protection Act are Croydon Council, which has been ordered to pay £100,000, and Norfolk County Council, which will have to pay £80,000. Both failed to keep highly sensitive information about the welfare of children secure, the ICO said.

The watchdog has now levied £1,021,000 in fines for data breaches since being handed enhanced powers in April 2010 to impose monetary penalties of up to £500,000. Ten local authorities have been required to pay a total of £960,000. However, these sums are not kept by the ICO, but instead paid into HM Treasury’s Consolidated Fund.

The penalties came just days after it emerged that the ICO and the Department for Communities and Local Government had jointly written to all local authority chief executives to remind them of their obligations under the Data Protection Act.

In the letter, Christopher Graham, the Information Commissioner, and Sir Bob Kerslake, Permanent Secretary at the DCLG, said they hoped that the ICO’s powers to use monetary penalties would need to be used “only sparingly”.

The ICO levied the £100,000 penalty on Croydon Council after an incident in April 2011 where an unlocked bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.

The council worker was taking papers home for use at a meeting the next day. The papers included information about the sexual abuse of a child and six other people connected with a court hearing. Neither the bag nor the papers were recovered.

An ICO investigation found that Croydon had data protection guidance in place, but that this was not actively communicated to staff. The local authority had failed to monitor whether its guidance had been read and understood.

The watchdog also described Croydon’s policy on data security as “inadequate”, in part because it did not set out how sensitive information should be kept secure when taken out of the office.

Norfolk Council received its £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.

This incident, which also occurred in April 2011, occurred when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next door neighbour.

“The report contained confidential and highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information,” the ICO said.

The watchdog found that the social worker involved had not completed mandatory data protection training. It added that Norfolk had no system in place for checking whether training had been completed, and did not have a peer-checking process to ensure sensitive information was being sent to the right recipient.

Disclosure of information to the wrong recipient is a common theme in a number of cases where local authorities have breached the DPA. It was five separate incidents of this kind that led the ICO to hit Midlothian Council with the record penalty so far of £140,000.

However, this amount could well be dwarfed by the £375,000 fine the ICO has in an initial notice of intent proposed levying on Brighton and Sussex University Hospitals NHS trust after a number of its hard drives were sold on eBay.

Stephen Eckersley, the ICO’s Head of Enforcement, said: “We appreciate that people working in roles where they handle sensitive information will – like all of us - sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.”

Eckersley acknowledged that both councils had swiftly informed the people involved and taken remedial action. However, he added that this “does not excuse the fact that vulnerable children and their families should never have been put in this situation”.

Philip Hoult

THE ICO’S MONETARY PENALTIES SO FAR

  • Hertfordshire County Council (22 November 2010): £100,000
  • A4e (22 November 2010): £60,000
  • Hounslow Council (8 February 2011): £70,000
  • Ealing Council (8 February 2011): £80,000
  • Andrew Jonathan Crossley, formerly trading as solicitors firm ACS Law (10 May 2011): £1,000
  • Surrey County Council (9 June 2011): £120,000
  • Worcestershire County Council (28 November 2011): £80,000
  • North Somerset Council (28 November 2011): £60,000
  • Powys County Council (6 December 2011): £130,000
  • Midlothian Council (30 January 2012): £140,000
  • Croydon Council (13 February 2012): £100,000
  • Norfolk County Council (13 February 2012): £80,000