A solicitor employed by the data controller was working on a child protection case and sent 11 emails (intended for Counsel instructed on the case) to the wrong email address by mistake, the ICO said. The emails varied in sensitivity but some of them contained confidential and highly sensitive personal data about the non-accidental injuries sustained by a child together with medical information relating to two adults and two children. The emails also contained the Brief to Counsel, suggested directions and miscellaneous comments about the conduct of the case.
The female solicitor realized her error when she spoke to the barrister on the case, who told her that he had not received any emails from her on that day.
But a bigger issue than human error is the fact that the data was not sent over a secure network nor was it encrypted, as required by the council's guidelines. That means it could have easily been intercepted – widening the privacy breach much further than sending mails to one wrong person. As such, the Council violated the UK's Data Protection Act under section 4 – prompting the fine.
"If this data had been encrypted, then sensitive information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a widely used security measure," Stephen Eckersley, the ICO's head of enforcement, said in the statement.
The solicitor was not disciplined by the council because it acknowledged that it was not in compliance with the Data Protection Act: the legal department, it said, did not have access to encryption software and employees frequently have to send emails outside of the secure network in order to carry out their work.
The penalty was also larger than it would have been because the ICO took into account that this is not a first data leakage offense for Stoke-on-Trent Council. In 2010, it lost a memory stick containing unencrypted data on a child care case.
“This should have raised the data controller’s awareness about the importance of having appropriate security measures in place,” the ICO noted.
Eckersley called it “particularly worrying” that the issue of encryption seems to have been swept under the rug.
Some industry-watchers had advice to give. “There are significant risks both for reputation and in cash terms when organizations get email data protection wrong,” said Paul Hennin, director of EMEA marketing at Proofpoint, in an email. “Organizations need to be able to offer a tiered approach to protecting data on a role-by-role basis. There are some roles where enabling automated encryption for messages should be considered as the default, but others where more benefit would be gained by raising awareness though automatically prompting the employee to consider encrypting the message based on the content, for example if a file of a particular type is attached or certain strings of text are included."
The ICO said that it will reduce the fine by 20% to £96,000 if it receives full payment by Nov. 23.