Wolverhampton council is the latest local authority to have its knuckles wrapped by the Information Commissioner’s Office (ICO) after a data handling blunder led to it exposing the personal details of nearly 10,000 people.
The ICO revealed in a newly published Undertaking that it was first notified of the incident by the council back in January.
It claimed the following:
“On 26 November 2015, the data controller asked for a report to be produced by its payroll department. Due to an oversight the personal data of 9858 data subjects was emailed to an external recipient.”
The victims worked for 73 varied educational establishments in the area, according to the report.
The council has been in trouble before and was served an Enforcement Notice in 2014 requiring all staff to complete an e-learning training course on protecting information.
Although those terms were met, the ICO remains concerned that there was no plan in place to “establish an effective mechanism to monitor and implement refresher training.”
The ICO has now demanded that Wolverhampton council put in place such a system within three months.
It added:
“The data controller shall ensure that all staff handling personal data receive data protection training and that this training is refreshed at regular intervals, not exceeding two years. The data controller should ensure that all staff that handle sensitive personal data regularly, receive refresher training within six months of the date of this undertaking, and all other staff have received refresher training within nine months of the date of this undertaking.”
New information commissioner Elizabeth Denham took over the reins at the data protection watchdog last week and it’s expected she will take a firm line on those firms which break the Data Protection Act with serious transgressions.
She will have her work cut out at the ICO, however, with managing the UK’s data protection regime in light of the Brexit vote.