Feeds

ICO hits the road to crack 'underlying problem' at data-leak councils

Watchdog dishes out £300k in fines, starts knocking on doors

  • alert
  • submit to reddit

High performance access to file storage

The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection.

The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in England over serious breaches to the Data Protection Act (DPA). Leeds City Council, Plymouth City Council, Devon County Council and the London Borough of Lewisham were fined a total of £300,000 by the watchdog.

"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Information Commissioner Christopher Graham said in a statement. The ICO said that Leeds City Council, Plymouth City Council and Devon County Council had all sent sensitive personal data to the wrong recipients.

In the case of the Leeds authority, a file revealing details of a criminal offence by a child in care, his truancy rate and details of his relationship with his mother were sent to the wrong person after a staff member at the council re-used an envelope that had the wrong address noted on it. The council was fined (10-page 167KB PDF) £95,000 as a result of the incident.

The Plymouth authority was fined (11-page 142KB PDF) £60,000 after "confidential and highly sensitive personal data relating to two parents and their four children including allegations of child neglect resulting in ongoing care proceedings" were sent to the wrong person, the ICO said. The incident occurred after papers that two social workers at the council had printed out were mixed up.

The ICO said that Devon County Council had been fined (11-page 913KB PDF) £90,000 after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family. The papers featured information about 22 individuals and contained "details of alleged criminal offences and mental and physical health", the watchdog said.

In the fourth case (11-page 1.37MB PDF) a social worker employed by the Lewisham authority left files containing GP and police reports and allegations of sexual abuse and neglect in a shopping bag on a train. The social worker had taken the documents home to work on, the ICO said. It fined the council £70,000 as a result of the breach.

Nearly £2 million in fines prised from authorities

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO said that it had issued fines totalling £1,885,000 to nineteen local authorities over breaches of the DPA. Christopher Graham said that the bodies had been guilty of "failing to have the most straightforward of procedures in place".

"It would be far too easy to consider these breaches as simple human error," the Information Commissioner said. "The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated," Graham added.

Late last year the ICO presented the Ministry of Justice (MoJ) with a "business case" outlining why new powers to conduct compulsory data protection audits of local government bodies were needed. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said at the time.

The ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Combat fraud and increase customer satisfaction

More from The Register

next story
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.