Out-Law News | 14 Feb 2012 | 9:36 am | 2 min. read
Croydon Council was fined £100,000 after a bag containing papers about a child sex abuse court case was stolen from a social worker in a pub in April last year, the Information Commissioner's Office (ICO) said.
Norfolk County Council was fined £80,000 after a social worker at the authority hand-delivered a report featuring "highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information" to the wrong address. The report was delivered to the next door neighbour of the intended recipient, also in April 2011, after the social worker wrote the wrong address down on the report, the ICO said.
The ICO said that Croydon Council had failed to communicate its data protection guidance to staff and had inadequate checks in place to ensure it had been read and understood. The Council's policy on data security also did not include the requirement that sensitive personal data be kept secure when taken off-premises, the watchdog said.
The social worker at Norfolk County Council had failed to complete mandatory training in data protection and the authority did not have appropriate systems in place to check this, the ICO said.
The Council also failed to operate a system that requires colleagues to check each other's work to ensure sensitive information is sent to the right address, it said. Both authorities have agreed to alter their data protection practices following the breaches.
“We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place," Stephen Eckersley, head of enforcement at the ICO, said in a statement.
“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training. While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation," he said.
Under the Data Protection Act organisations in control of personal data are required to take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act requires extra care around the handling of sensitive personal data, such as information relating to individuals' "physical or mental health or condition".
Under the Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data.