After a long run of warnings, criticisms and making sure organisations agree to improve their data protection practices, the Information Commissioner’s Office (ICO) has decided to fine two county Councils for serious breaches of the data protection act (DPA).
In both cases the Councils emailed highly sensitive information to the wrong recipients.
In the first case, a worker at Worcestershire County Council sent information about a large number of vulnerable people to 23 unintended recipients.
The ICO says the error occurred when the worker clicked on an additional contact list before the email was sent. The contact list was intended for internal use only, the ICO said.
Worcestershire County Council has been fined £80,000 over the incident, which occurred in March 2011.
The Council was criticised for its failure to adequately train workers about using personal data and distinguishing between external and internal email distribution lists. Luckily those who accidentally received the sensitive information were all registered organisations used to dealing with sensitive information. The email error was also caught early and the worker contacted all recipients to ask them to delete the emails, the ICO said.
The second case involved North Somerset Council. According to the ICO the Council sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee. Email distribution lists were again at the root of the problem, as an employee had entered the wrong email address in prior to sending.
Although the recipient notified the sender of their error, the mistake was repeated three more times, the ICO said. The issue was then raised with senior management and the employee but incredibly a fifth and final email was sent to the wrong person later that same day.
The NHS confirmed that the emails had been destroyed.
The Council was fined £60,000 over the incident. According to the ICO the Council did in fact have procedures in place for handling sensitive data but staff were not adequately trained. The ICO has also suggested the Council should ensure senior managers sign off email distribution lists.
"Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable," said Information Commissioner Christopher Graham. "It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils."
"It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties," he added.
Graham added that this issue is too widespread for comfort. "There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense."
"Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you," he warned.
These fines represent the seventh and eighth occasions the ICO has issued a monetary penalty for failure to adhere to the data protection act. The biggest fine to date stands at £120,000, handed out to Surrey County Council after it also emailed sensitive information to the wrong recipients.
Other fines have been handed out to Worcestershire County Council, ACS:Law solicitor Andrew Jonathan Crossley, Ealing Council, Hounslow Council, employment services company A4e and Hertfordshire County Council.