Council behind three sensitive data emails fined £120,000

Out-Law News | 13 Jun 2011 | 2:09 pm | 2 min. read

A UK Council has been fined £120,000 for emailing information containing sensitive personal data to the wrong addresses, the Information Commissioner's Office (ICO) has said.

The ICO, the UK's data protection watchdog, said members of staff in different departments within Surrey County Council sent three misdirected emails containing sensitive data.

"The penalty of £120,000 recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information," the ICO said in a statement (3-page / 29KB PDF).

Under the Data Protection Act the ICO has the power to fine organisations for accidental loss or damage to personal data they are responsible for.

On 17 May last year a member of the Council's Adult Social Care Teams unit sent an email with a file containing details of the physical and mental health of 241 vulnerable adults to a group email address that included 361 taxi, coach and mini-bus companies, the ICO said.

The information contained in the file included whether the individuals listed used a wheelchair, if and to what extent they were autistic and whether they suffered from mental health problems, downs syndrome, dementia, epilepsy or hearing or visual impairment, the ICO said.

The data was not encrypted and, despite asking recipients to delete the email, the council could not confirm if they all had done so, the ICO said.

"[The personal data] had the potential to be viewed by a significant number of unauthorised individuals," the ICO statement said.

The Council should have identified the risk of data being exposed and the distress that would cause, but it "failed to take reasonable steps to prevent the contravention," the ICO said in the Monetary Penalty Notice (12-page / 53KB PDF) served to Surrey County Council

In a second incident on 22 June 2010 confidential personal data was mistakenly distributed to a list of people who had signed up to receive the Council's newsletter, the ICO said.

In January this year the Council reported a third incident of data loss after a Family Support Worker sent an email with sensitive personal information on it to the wrong internal email group, the ICO said.

"The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough," Christopher Graham, Information Commissioner, said in the ICO statement. "But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late."

The ICO said that Surrey County Council staff lacked appropriate IT training and support and that whilst remedial action had taken place following the first exposure of data, it was not sufficient to prevent two further instances occurring.

"Contravention was due to the negligent behaviour of the [Council] in failing to take appropriate technical and organisational measures against the unauthorised processing of personal data," the ICO said in its Monetary Penalty Notice.

Relaxed data protection measures are not acceptable, the ICO said.

“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated,” the Christopher Graham, the Information Commissioner said.