The breaches involved the disclosure of confidential and sensitive personal data relating to four vulnerable children.
The first breach occurred when a member of staff sent a child’s assessment to the child’s sibling instead of their mother, who lived at the same address. The assessment included sensitive details of the child’s behaviour, as well as the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.
The second breach concerned the names and addresses of the foster care placements of two young children which were printed out and shown to the children’s mother. The council then decided to move the children to alternative foster care placements as a result.
The ICO’s deputy commissioner and director of data protection, David Smith, said:
“The decision by the ICO to issue a penalty in this case reflects its seriousness – these were two very similar data breaches which occurred within a short space of time, and both involved highly confidential and sensitive personal data.
“Most importantly, some of the people affected were vulnerable children, two of whom had to be moved to a new foster home as a result of the second data breach. It is the responsibility of all organisations – especially where children or other vulnerable people are involved – to keep sensitive personal data secure.”
The council has now committed to taking action including providing staff with further training and support on data protection and information security, says the ICO. It is also introducing formal guidance on checking documents.
In response to the fine, Telford and Wrekin Council said:
“Telford & Wrekin Council is and open and transparent organisation which is why we immediately reported these breaches which were limited in effect and were down to human error where people did not follow the council’s agreed procedures that had been widely communicated to staff. The council is determined to work hard to minimise any data breaches but, where they do occur, will continue to be open with the Information Commissioner and local residents.
“That said, we do not under estimate the impact that this breach had on the people involved and have apologised to those whose data was accidentally disclosed.
“While we accept that the breaches occurred, we do not agree with the rationale behind the financial penalty that has been imposed and would point to other councils which do not collect such information and, therefore, avoid any punishment for breaches such as these.”
