Cheshire East Council fined following email blunder
The Information Commissioner’s Office is on a roll: after fining two councils last week for breaching the Data Protection Act (DPA) it has now handed out another financial penalty.
Cheshire East Council has been fined £80,000 for, "failing to take appropriate measures to ensure the security and appropriateness of disclosure when emailing personal information," the ICO report said.
The incident, which the ICO described as a "serious" breach of the DPA, occurred in May 2011 when a worker at the council was asked to email the local voluntary sector co-ordinator over police concerns about an individual working in the area.
The worker was instructed to use a secure email system to send the alert but the co-ordinator did not have access to it so it was sent via a personal email account to ensure it was received.
The email was then forwarded by the co-ordinator to 100 intended recipients. According to the ICO the wording in the email was ambiguous and many recipients thought they too had to send it on to other volunteer workers. This resulted in 180 unintended recipients receiving the email.
Contents of the email included the name of the individual and an alleged alias he used.
Once the mistakes was realised the council attempted to recall the message and 57% of recipients subsequently deleted the email.
"While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed," said Stephen Eckersley, Head of Enforcement.
"Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients," he added.
Eckersley said that the recent cases should act as a wake-up call to public sector bodies. "I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data," he said.