This site requires Javascript to function correctly
UKAuthority.com requires the use of cookies. Continued use of this site indicates that you accept this policy. More information.

Cookies and your privacy

In accordance with the ICO's EU e-Privacy Directive and to help protect your privacy we are making you aware of the use of cookies on this site.

We use these to aid in improving and maintaining our website. Cookies are used for functionality and to track visitor behaviour on this site, primarily for Google Analytics.

Google Inc are members of the US Safe Harbor Scheme. This scheme allows the transfer of data from within the EEA to countries that are outside of the EEA without having to enter into a specific data transfer agreement. Companies that sign up to the scheme are deemed to provide adequate protection for personal data transmitted from Europe. Google Inc's registration is at http://safeharbor.export.gov/companyinfo.aspx?id=10543.

For more information on the cookies set by Google Analytics please go to: http://code.google.com/apis/analytics/docs/concepts/gaConceptsCookies.html.

This site also makes use of other essential Anonymous cookies, and the site won't work as expected without them. If you don't accept these anonymous cookies some features of the site may be unavailable.

UKAuthority.com's full privacy statement.

UKAuthority.com

Digital public sector news, research & engagement

Tuesday 14 February 2012Author: Michael Cross

ICO fines top a million

Two more local authorities have been fined by the Information Commissioner's Office (ICO), taking the total of financial penalties imposed under new powers to over £1m. The bulk of the money - which goes to the Treasury's consolidated fund - has come from local authorities.

The latest penalties were imposed despite both councils taking swift remedial action when the data breaches were discovered.

According to a statement from the ICO, Croydon council has been penalised £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. Norfolk county council has been served with an £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.

Stephen Eckersley, head of enforcement at the IC, said: "We appreciate that people working in roles where they handle sensitive information will - like all of us - sometimes have their bags stolen. However, this highly personal information needn't have been compromised at all if Croydon council had appropriate security measures in place.

"One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk county council failed to have a system for this and also did not monitor whether staff had completed data protection training.

"While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation."

The Croydon breach - which happened in April 2011 - occurred when an unlocked bag belonging to a social worker was stolen from a London pub. The worker was taking papers, including information about the sexual abuse of a child and six other people connected to a court hearing, home for use at a meeting the following day. The bag and its contents have never been recovered.

The ICO's investigation found that while Croydon did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood. The council's policy on data security was also inadequate and did not stipulate how sensitive information should be kept secure when taken outside of the office.

The Norfolk breach - which also occurred in April 2011 - happened when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient's next door neighbour. The report contained confidential and highly sensitive personal data about a child's emotional and physical wellbeing, together with other personal information.

The ICO's investigation found that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed. The council also did not have a peer-checking process to ensure that sensitive information was being sent to the correct recipient.

Both councils have taken remedial action as a result of the breaches and will now ensure that effective data protection measures are put in place.

www.ico.gov.uk/what_we_cover/taking_action/dp_pecr.aspx