Feeds

ICO hits the road to crack 'underlying problem' at data-leak councils

Watchdog dishes out £300k in fines, starts knocking on doors

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection.

The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in England over serious breaches to the Data Protection Act (DPA). Leeds City Council, Plymouth City Council, Devon County Council and the London Borough of Lewisham were fined a total of £300,000 by the watchdog.

"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Information Commissioner Christopher Graham said in a statement. The ICO said that Leeds City Council, Plymouth City Council and Devon County Council had all sent sensitive personal data to the wrong recipients.

In the case of the Leeds authority, a file revealing details of a criminal offence by a child in care, his truancy rate and details of his relationship with his mother were sent to the wrong person after a staff member at the council re-used an envelope that had the wrong address noted on it. The council was fined (10-page 167KB PDF) £95,000 as a result of the incident.

The Plymouth authority was fined (11-page 142KB PDF) £60,000 after "confidential and highly sensitive personal data relating to two parents and their four children including allegations of child neglect resulting in ongoing care proceedings" were sent to the wrong person, the ICO said. The incident occurred after papers that two social workers at the council had printed out were mixed up.

The ICO said that Devon County Council had been fined (11-page 913KB PDF) £90,000 after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family. The papers featured information about 22 individuals and contained "details of alleged criminal offences and mental and physical health", the watchdog said.

In the fourth case (11-page 1.37MB PDF) a social worker employed by the Lewisham authority left files containing GP and police reports and allegations of sexual abuse and neglect in a shopping bag on a train. The social worker had taken the documents home to work on, the ICO said. It fined the council £70,000 as a result of the breach.

Nearly £2 million in fines prised from authorities

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO said that it had issued fines totalling £1,885,000 to nineteen local authorities over breaches of the DPA. Christopher Graham said that the bodies had been guilty of "failing to have the most straightforward of procedures in place".

"It would be far too easy to consider these breaches as simple human error," the Information Commissioner said. "The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated," Graham added.

Late last year the ICO presented the Ministry of Justice (MoJ) with a "business case" outlining why new powers to conduct compulsory data protection audits of local government bodies were needed. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said at the time.

The ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Intelligent flash storage arrays

More from The Register

next story
Scrapping the Human Rights Act: What about privacy and freedom of expression?
Justice minister's attack to destroy ability to challenge state
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Hey Brit taxpayers. You just spent £4m on Central London ‘innovation playground’
Catapult me a Mojito, I feel an Digital Innovation coming on
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
EU to accuse Ireland of giving Apple an overly peachy tax deal – report
Probe expected to say single-digit rate was unlawful
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
EU probes Google’s Android omerta again: Talk now, or else
Spill those Android secrets, or we’ll fine you
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.