ICO dishes out some of first public sector fines against two councils

The news, says the ICO, comes as the UK’s data protection and investigation agency is pressing for stronger powers to audit data protection compliance across local government and the NHS.

North Somerset Council has been fined £60,000 for a serious breach of the Data Protection Act where a council employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.

The incidents – which took place during November and December 2010 - occurred when a council employee selected the wrong email address when creating a personal distribution list.

According to the ICO, the council employee was told about the error by the unintended recipient shortly after the first incident took place. Despite this, information was emailed to the same NHS employee on a further three occasions.

The issue was then raised at senior level. Two of the council’s assistant directors highlighted the issue with the employee on 9 December but a fifth and final incident took place later that same day.

A fine of £80,000 has also been handed to Worcestershire County Council for an incident in March 2011 where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients.

The error occurred, says the ICO, when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

“Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists”, said the ICO’s media advisory on the penalties.

Commenting on the penalties, Christopher Graham, the Information Commissioner, said that personal information in cases involving vulnerable people is about the most sensitive personal information imaginable.

“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties”, he said.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure”, he added.

Also commenting on the penalties, Ed Rowley, senior product manager with M86 Security noted that it was suggested earlier in the year that the ICO was not using its powers to penalise organizations for the most serious data breaches.

“These two fines demonstrate that the ICO is serious about punishing those who fail to protect sensitive information. Commercial and government organizations must learn that protecting private data needs to be built into all of their processes from the ground up”, he said.

“Having the appropriate policies in place and training is the best place to start. However, these need to be supported by using appropriate technology to enforce those policies. Certainly, in both of these cases technology could have been used to prevent the email leaks and saved the councils and tax payers a lot of money, in addition to protecting the privacy of the vulnerable individuals whose information was inappropriately handled”, he added.

Over at Cryptzone, meanwhile, Grant Taylor, the firm’s vice president, said that financial penalties are not always the right approach, although he added that he understands why the ICO imposed the fines.

He explained that he hopes these penalties send a clear message not just to those working in the social care and allied sectors, but any organization dealing with sensitive personal information.

"The bottom line here is that the Information Commissioner takes this sloppiness seriously. We've had more than 18 months of warnings against public sector bodies and that approach has not worked, monetary penalties are a regrettable measure of last resort", he said.

Taylor went on to say that, when public sector cuts threaten the quality of patient care, it becomes even more difficult to get IT security expenditure approved.

When staff don’t fully understand the correct IT policies and procedures and management ignore it when mistakes are made, the cost to organizations is much higher than the measures that would have avoided these ICO fines in the first place.


What’s hot on Infosecurity Magazine?