Bungling councils fined over £300,000 for data protection breaches
Published by Max Salsbury for 24dash.com in Local Government and also in Communities, Legal, Regulation
Data Protection Filing Cabinet
The Information Commissioner has said that councils have an "underlying problem with data protection" after a year in which local authorities have paid out over £300,000 in fines for losing personal data.
Leeds City Council, Plymouth City Council and Devon County Council have all been hit with large fines this year after bungling staff sent details of child care cases out to the wrong recipients. The London Borough of Lewisham was issued a penalty of £70,000 after social work papers were left on a train.
Nineteen councils have been fined for breaches of the Data Protection Act since April 2010, with the penalties totalling £1,885,000.
The Information Commissioner, Christopher Graham, has condemned councils' attitudes towards private data. He said: “We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place.
"It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.
"The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.
"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems."
In July 2011, an employee of Leeds City Council put personal details about a child in care in a reused envelope for the internal mail. However, the original address on the envelope hadn't been crossed out and the details ended up being posted to someone who had nothing to do with the case. The council was fined £95,000 for the breach.
In a similar case, Plymouth City Council was hit with a £60,000 fine after a mix-up with an office printer led to highly sensitive information concerning allegations of child neglect being sent to the wrong family.
Meanwhile, in May 2011 a Devon County Council social worker used an older case as a template for an adoption panel report, but accidentally sent out the old report instead of the new one. The blunder led to details about the alleged criminal offences and mental and physical health of 22 people being revealed. The council was ordered to pay out £90,000 for the mishap.
In March 2012, a social worker employed by the London Borough of Lewisham left documents concerning GP and police reports and allegations of sexual abuse and neglect on a train, that were subsequently recovered from the rail company’s lost property office. The council was hit with a penalty of £70,000 for the blunder.
The Information Commissioner's Office (ICO) is now pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent.
The ICO upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Not transferred to other countries without adequate protection