Friday 1 September 2017

Nottinghamshire Council fined £70,000 for care data blunder

Council found guilty of leaving information on elderly and disabled exposed to public view

Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office (ICO) for leaving vulnerable people’s personal information exposed online for five years.

Data privacy abstractAn investigation by the ICO found that the council had left details of gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that lacked basic security or access restrictions such as a username or password.

The failing was rooted in Nottinghamshire’s launch of its Home Care Allocation System (HCAS) portal in July 2011, allowing social care providers to confirm that they had capacity to support a particular service user.

Its lack of protection was discovered in June 2016, when a member of the public using a search engine was inadvertently able to access and view the data with no need to log in, and was concerned that it could be used by criminals to target vulnerable people or their homes.

At the time the system contained a directory of 81 service users. It is understood the data of 3,000 people had been posted in the five years the system was online.

While the visible information did not include service users’ names, it provided several other personal details, including needs such as the number of home visits per day, and whether they had been or were still in hospital.

The council offered no mitigation to the ICO.

Prolonged breach

ICO head of enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

Image from iStock