Croydon Council and Norfolk County Council guilty of failing to keep highly sensitive information on children secure
The Information Commissioner’s Office (ICO) has handed out more financial penalties – fining two councils for failing to keep highly sensitive information about the welfare of children secure.
The fines, totalling £180,000, were handed down to Croydon Council and Norfolk County Council, the ICO said.
Croydon Council has been fined £100,000 after a bag containing sensitive information was stolen from a London pub. The data included information about the sexual abuse of a child and six other people connected to a court hearing.
The papers were being taken home in preparation for a meeting the following day, the ICO said. The bag has never been recovered.
The ICO says that while Croydon Council did have adequate data protection policies in place these were not actively communicated and the council was not monitoring whether it was being adhered to. The council also had an inadequate policy on data security, as it did not state how data should be secured if it was taken out of the office.
"We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place," said Stephen Eckersley, head of enforcement at the ICO.
In the second case, Norfolk County Council was fined £80,000 after a worker accidentally wrote the wrong address on an envelope and then hand delivered it to the wrong recipient. The letter contained sensitive information about a child’s emotional and physical wellbeing, the ICO said.
The ICO’s investigation found that the worker had not completed mandatory data protection training and the council did not even have a system in place to check if workers had completed the necessary training.
The council also failed to have a system in place to check that sensitive information was being sent to the right recipient, such as having a colleague check the address before a letter is posted.
"One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training," Eckersley added.
"While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation," he concluded.
Last week the ICO censured five councils for breaches of the Data Protection Act (DPA), and in January this year it handed out its biggest financial penalty to date, fining Midlothian Council a record £140,000 for repeated breaches of the DPA.
It is also in the process of investigating Brighton and Sussex University Hospitals NHS Trust, which could result in a fine of £375,000 being handed out after 232 hard drives containing sensitive patient information were stolen. The NHS Trust is appealing the decision.