By Maximilian Clarke
Midlothian Council has become the latest organisation to fall foul of the Information Commissioner’s Office, landing a £140,000 fine for disclosing personal data in five separate breaches.
The five serious data breaches — all involving children’s social service reports being sent to the wrong recipients - occurred between January and June 2011. One of them happened when papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information. In another case, minutes of a child protection conference were sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother, who made a complaint to her social worker about this incident.
“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds,” commented Ken Macdonald, Assistant Commissioner for Scotland. “It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.
The first breach, which occurred in January 2011, did not come to light until March, when the Council began an investigation. Unfortunately, this did not prevent further similar incidents taking place in May and June.
“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months,” continued Macdonald. ”I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”
The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.
The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date. The council will also update its existing data protection policy to include specific provisions for the handling of personal data by social services staff. Any outgoing letters containing sensitive or confidential data will also be checked by another member of staff before being sent. The council’s data protection training scheme will also be improved.
The ICO is asking the government for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK following a series of data protection breaches.
Join us on