Feeds

ICO hits the road to crack 'underlying problem' at data-leak councils

Watchdog dishes out £300k in fines, starts knocking on doors

  • alert
  • submit to reddit

The essential guide to IT transformation

The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection.

The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in England over serious breaches to the Data Protection Act (DPA). Leeds City Council, Plymouth City Council, Devon County Council and the London Borough of Lewisham were fined a total of £300,000 by the watchdog.

"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Information Commissioner Christopher Graham said in a statement. The ICO said that Leeds City Council, Plymouth City Council and Devon County Council had all sent sensitive personal data to the wrong recipients.

In the case of the Leeds authority, a file revealing details of a criminal offence by a child in care, his truancy rate and details of his relationship with his mother were sent to the wrong person after a staff member at the council re-used an envelope that had the wrong address noted on it. The council was fined (10-page 167KB PDF) £95,000 as a result of the incident.

The Plymouth authority was fined (11-page 142KB PDF) £60,000 after "confidential and highly sensitive personal data relating to two parents and their four children including allegations of child neglect resulting in ongoing care proceedings" were sent to the wrong person, the ICO said. The incident occurred after papers that two social workers at the council had printed out were mixed up.

The ICO said that Devon County Council had been fined (11-page 913KB PDF) £90,000 after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family. The papers featured information about 22 individuals and contained "details of alleged criminal offences and mental and physical health", the watchdog said.

In the fourth case (11-page 1.37MB PDF) a social worker employed by the Lewisham authority left files containing GP and police reports and allegations of sexual abuse and neglect in a shopping bag on a train. The social worker had taken the documents home to work on, the ICO said. It fined the council £70,000 as a result of the breach.

Nearly £2 million in fines prised from authorities

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO said that it had issued fines totalling £1,885,000 to nineteen local authorities over breaches of the DPA. Christopher Graham said that the bodies had been guilty of "failing to have the most straightforward of procedures in place".

"It would be far too easy to consider these breaches as simple human error," the Information Commissioner said. "The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated," Graham added.

Late last year the ICO presented the Ministry of Justice (MoJ) with a "business case" outlining why new powers to conduct compulsory data protection audits of local government bodies were needed. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said at the time.

The ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

5 things you didn’t know about cloud backup

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
EU justice chief blasts Google on 'right to be forgotten'
Don't pretend it's a freedom of speech issue – interim commish
Detroit losing MILLIONS because it buys CHEAP BATTERIES – report
Man at hardware store was right: name brands DO last longer
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.