London council fined £70k following child sex abuse data breach

Out-Law News | 22 May 2012 | 12:12 pm | 1 min. read

A local authority in London has been fined £70,000 after papers containing identifying details about child sex abuse cases were stolen from a social worker it employed.

The Information Commissioner's Office (ICO) issued its monetary penalty notice (11-page / 1.41MB PDF) after determining that the London Borough of Barnet had been guilty of a serious breach of UK data protection laws.

In April last year the social worker took home paper records featuring details of a complaint about how the police had handled a child sex abuse investigation as well as a "project on child sexual exploitation" they ran. The documents contained "highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people," the ICO said.

The social worker stored the papers beside an encrypted computer in a laptop bag, but a thief broke into their house and stole the bag. The ICO said that London Borough of Barnet's "information security policy" was not suitable to "address the risk identified by this security breach".

In considering whether to levy a fine on the authority the ICO said that it had taken account of the fact it had previously obtained undertakings from the body to improve its policy following a previous personal data breach.

"The potential for damage and distress in this case is obvious," Simon Entwisle, the ICO’s director of operations, said in a statement. "It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss."

"While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops," he said.

Under the Data Protection Act organisations in control of personal data are required to take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act requires extra care around the handling of sensitive personal data, such as information relating to individuals' "physical or mental health or condition" and sex life. 

Under the Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data.