The Nottinghamshire County Council in the UK has been fined £70,000 by the Information Commissioner’s Office for leaving vulnerable people’s personal information exposed online for five years.
The UK’s Data Protection Act requires organizations to take appropriate measures to keep personal data secure, especially when dealing with sensitive information. But the council in this case posted very personal information on elderly and disabled people in an online directory, which was left open to anyone on the internet thanks to a lack of basic security or access restrictions—not even a username or password.
The council had launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user, in July 2011. When the breach was reported in June 2016, the HCAS system contained a directory of 81 service users. In total, the data of 3,000 people had been posted in the five years the system was online.
The data exposed included people’s gender, addresses and post codes, personal care needs and requirements such as the number of home visits per day, and whether they had been or were still in hospital. Although the service user's names were not included, a determined person would be able to identify them.
The situation was discovered when a random person stumbled across the data (and was able to access it with no need to log in) while using a search engine. This member of the pubic alerted the ICO out of concern that the information could be used by criminals to target vulnerable people or their homes – especially as it even revealed whether or not they were still in hospital.
“This was a serious and prolonged breach of the law,” said ICO head of enforcement Steve Eckersley. “For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”
He added, “Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organizations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
The ICO has not been shy of assigning fines of late; in July for instance it slapped Moneysupermarket.com with an £80,000 fine after it was found guilty of sending millions of nuisance emails to customers.