Feeds

ICO hits the road to crack 'underlying problem' at data-leak councils

Watchdog dishes out £300k in fines, starts knocking on doors

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

The Information Commissioner's Office (ICO) will meet representatives from local authorities to address what it has called an "underlying problem" with the bodies' approach to data protection.

The ICO made the announcement after it reported that it had served civil monetary penalty notices to four separate local authorities in England over serious breaches to the Data Protection Act (DPA). Leeds City Council, Plymouth City Council, Devon County Council and the London Borough of Lewisham were fined a total of £300,000 by the watchdog.

"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Information Commissioner Christopher Graham said in a statement. The ICO said that Leeds City Council, Plymouth City Council and Devon County Council had all sent sensitive personal data to the wrong recipients.

In the case of the Leeds authority, a file revealing details of a criminal offence by a child in care, his truancy rate and details of his relationship with his mother were sent to the wrong person after a staff member at the council re-used an envelope that had the wrong address noted on it. The council was fined (10-page 167KB PDF) £95,000 as a result of the incident.

The Plymouth authority was fined (11-page 142KB PDF) £60,000 after "confidential and highly sensitive personal data relating to two parents and their four children including allegations of child neglect resulting in ongoing care proceedings" were sent to the wrong person, the ICO said. The incident occurred after papers that two social workers at the council had printed out were mixed up.

The ICO said that Devon County Council had been fined (11-page 913KB PDF) £90,000 after a social worker who had been preparing an "adopting panel report" sent out an alternative file they had been using as a template to the wrong family. The papers featured information about 22 individuals and contained "details of alleged criminal offences and mental and physical health", the watchdog said.

In the fourth case (11-page 1.37MB PDF) a social worker employed by the Lewisham authority left files containing GP and police reports and allegations of sexual abuse and neglect in a shopping bag on a train. The social worker had taken the documents home to work on, the ICO said. It fined the council £70,000 as a result of the breach.

Nearly £2 million in fines prised from authorities

Under the DPA organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". Organisations must take extra care to protect sensitive personal data, such as information about individuals' physical or mental health or condition.

The ICO said that it had issued fines totalling £1,885,000 to nineteen local authorities over breaches of the DPA. Christopher Graham said that the bodies had been guilty of "failing to have the most straightforward of procedures in place".

"It would be far too easy to consider these breaches as simple human error," the Information Commissioner said. "The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."

"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated," Graham added.

Late last year the ICO presented the Ministry of Justice (MoJ) with a "business case" outlining why new powers to conduct compulsory data protection audits of local government bodies were needed. Having the power to force those organisations to take part in an audit would help identify practices that threaten the security of personal data and prevent data breaches occurring, it said at the time.

The ICO currently has the power to conduct compulsory data protection audits of central Government departments, but must obtain consent from organisations in other sectors before it can investigate their procedures. The ICO has long campaigned for these mandatory auditing powers to be extended.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Application security programs and practises

More from The Register

next story
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.