The £90,000 fine was issued for two data breaches that occurred within months of each other, ICO explained in a statement.
The first breach occurred on March 31, 2011, when a member of the council staff working in Safeguarding Services sent the Social Care Core Assessment of one child to a sibling rather than to the child’s mother, who lived at the same address. The assessment included sensitive details of the child’s behavior and the name and address, date of birth, and ethnicity of another young child who had made a serious allegation against one of the other children, ICO said.
The second breach occurred when the names and addresses of foster care placements of two young children were included in their Placement Information Record (PIR), which was shown to the children’s mother who was able to observe the foster care address. In response to the breach, the council moved the children to an alternative foster care placement to minimize the effects on them.
Both breaches resulted from problems with staff training and the Protocol information system used by the council.
For the first breach, the council found that “the Protocol system was set up so that the details of individuals were printed automatically on the assessment, although a user could tick a box to ensure that the details weren’t printed. There was also no process in place to check the documents before they were posted out”, ICO related.
For the second breach, the council found that the “default setting on the Protocol system was to include the foster carer’s details in the PIR, and there was no process in place to check the PIR after it was printed”, ICO added.
The council has agreed to provide staff with training and support on data protection and information security as well as on the use of the Protocol system. The council is also introducing formal guidance on checking documents printed off the Protocol system and making changes to its configuration.