Croydon Council has been handed a penalty of GB pound 100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.
In addition, the ICO states that Norfolk County Council has been served with an GB pound 80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.
These latest penalties bring the total amount served by the ICO to organisations found in serious breach of the Data Protection Act to over one million pounds.
Stephen Eckersley, the ICO’s head of enforcement, said: “We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.”
Eckersley added: “One of the most basic rules when disclosing highly sensitive information is to check and then double-check that it’s going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.”
The ICO’s representative concluded: “While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”
Fine details of the breaches
The Croydon Council breach – which happened in April 2011 – occurred when an unlocked bag belonging to a social worker was stolen from a London pub.
The worker was taking papers (including information about the sexual abuse of a child and six other people connected to a court hearing) home for use at a meeting the following day. The bag and its contents have never been recovered.
The ICO’s investigation found that, while Croydon Council did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the organisation had failed to monitor whether it had been read and understood.
Croydon Council’s policy on data security was also inadequate, and did not stipulate how sensitive information should be kept secure when taken outside of the office.
The Norfolk County Council breach occurred in the same month when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next door neighbour.
The report contained confidential and highly sensitive personal data about a child’s emotional and physical well-being together with other personal information.
The ICO’s investigation found that the social worker had not completed mandatory data protection training and that Norfolk County Council did not have a system in place for checking whether training had been completed.
In addition, Norfolk County Council did not have a peer-checking process to ensure that sensitive information was being sent to the correct recipient.
Both organisations have taken remedial action as a result of the breaches and will now ensure that effective data protection measures are put in place.
Councils must take data protection seriously
Five councils breached the Data Protection Act by failing to keep people’s personal information secure, Information Commissioner Christopher Graham has stated.
“At a time when councils are increasingly working with community partners, when data is shared it’s vital that they uphold their legal responsibilities under the Data Protection Act,” he said. “Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.”
Graham added: “We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the Government asking for them to extend my compulsory audit powers.”
The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
As well as the five local authorities, undertakings for youth charity Fairbridge and healthcare provider Turning Point have also been published.
