Feeds

ICO hits the road to crack 'underlying problem' at data-leak councils

Watchdog dishes out £300k in fines, starts knocking on doors

  • alert
  • submit to reddit

High performance access to file storage

The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection.

The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in England over serious breaches to the Data Protection Act (DPA). Leeds City Council, Plymouth City Council, Devon County Council and the London Borough of Lewisham were fined a total of £300,000 by the watchdog.

"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Information Commissioner Christopher Graham said in a statement. The ICO said that Leeds City Council, Plymouth City Council and Devon County Council had all sent sensitive personal data to the wrong recipients.

In the case of the Leeds authority, a file revealing details of a criminal offence by a child in care, his truancy rate and details of his relationship with his mother were sent to the wrong person after a staff member at the council re-used an envelope that had the wrong address noted on it. The council was fined (10-page 167KB PDF) £95,000 as a result of the incident.

The Plymouth authority was fined (11-page 142KB PDF) £60,000 after "confidential and highly sensitive personal data relating to two parents and their four children including allegations of child neglect resulting in ongoing care proceedings" were sent to the wrong person, the ICO said. The incident occurred after papers that two social workers at the council had printed out were mixed up.

The ICO said that Devon County Council had been fined (11-page 913KB PDF) £90,000 after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family. The papers featured information about 22 individuals and contained "details of alleged criminal offences and mental and physical health", the watchdog said.

In the fourth case (11-page 1.37MB PDF) a social worker employed by the Lewisham authority left files containing GP and police reports and allegations of sexual abuse and neglect in a shopping bag on a train. The social worker had taken the documents home to work on, the ICO said. It fined the council £70,000 as a result of the breach.

Nearly £2 million in fines prised from authorities

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO said that it had issued fines totalling £1,885,000 to nineteen local authorities over breaches of the DPA. Christopher Graham said that the bodies had been guilty of "failing to have the most straightforward of procedures in place".

"It would be far too easy to consider these breaches as simple human error," the Information Commissioner said. "The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated," Graham added.

Late last year the ICO presented the Ministry of Justice (MoJ) with a "business case" outlining why new powers to conduct compulsory data protection audits of local government bodies were needed. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said at the time.

The ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.