Watchdog issues record fine to Welsh council after serious data protection breach

Out-Law News | 08 Dec 2011 | 10:54 am | 2 min. read

A Welsh council has been issued with the highest ever fine levied by the UK's data protection watchdog after mistakenly sending child protection documents to the wrong person.

The Information Commissioner's Office (ICO) has fined Powys County Council £130,000 after pages from a child protection report were wrongly included as part of a separate document sent to a member of the public. The pages from both documents had been mixed up during the printing process and were not checked properly before being sent out, the ICO said.

Last year Powys County Council sent the same member of public parts of a document about an "unrelated" child. On both occasions the individual knew the people identified in the papers. The ICO censured the council for the first incident and received a promise from the authority that it would take steps to prevent a recurrence. However it subsequently failed to ensure social work staff completed data protection training, the watchdog said.

The council now faces the threat of the ICO initiating court action against it if it does not ensure that all staff that deal with personal data receive the training by 31 March next year. It is a criminal offence for organisations not to comply with an enforcement notice unless it can show it "exercised all due diligence to comply with the notice".

The council also has to make sure that staff receive refresher data protection training at least once every three years and that new-start workers are not left unsupervised to handle personal data until they are appropriately trained, the ICO's enforcement notice said.

The ICO said that it would meet with "stakeholders from across the UK’s local government sector" in order to help them address the "underlying problem with data protection in social services departments".

"This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people," Anne Jones, assistant commissioner for Wales, said in a statement.

"It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations," she said.

Under the Data Protection Act (DPA) organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

Organisations, excluding Government departments, can be fined up to £5,000 at a Magistrates court or an unlimited fine at the Crown Court for certain criminal offences under the DPA.

The ICO can initiate criminal proceedings for an offence under Section 55 of the DPA. Under that section a  person is generally guilty of an offence if they "knowingly or recklessly ... obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without consent from the 'data controller'.

Individuals in 'body corporates' can also be liable for the criminal charges facing those organisations under certain circumstances "where an offence can be proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of a body corporate that person can be prosecuted," the ICO has previously said.

The ICO has campaigned for individuals to face the possibility of jail for section 55 offences and also wants new powers to be able to conduct compulsory data protection audits of local authorities and public health bodies. Currently the ICO can only conduct audits of those organisations if they consent to the process.