ICO hits Barnet Council with data loss penalty

Barnet Council has been slapped with a £70,000 fine by the Information Commissioner’s Office (ICO) for losing sensitive information relating to young children.

The ICO said the breach of the Data Protection Act (DPA) occurred when a worker took home paper records to work on out of hours. The social worker’s home was burgled in April last year, and a laptop bag containing the records and an encrypted computer was stolen, the ICO said.

The papers contained the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people.

It is the second time in just under two years the ICO has taken action against the council. In June 2010 the council signed an undertaking to improve data protection practices following a similar incident to this one, when an unencrypted computer containing sensitive information was taken from an employee’s home.

The policy drawn up after the first incident was not in place when the second breach occurred, the ICO said.

The ICO did however say that while the council did have a data protection policy in place and guidance for staff on how to handle sensitive data there was no indication on how this information should be kept secure.

"The potential for damage and distress in this case is obvious. It is therefore extremely disappointing the council had not put in place sufficient measures in time to avoid this second loss," said Simon Entwisle, the ICO’s Director of Operations.

"While we are pleased that Barnet Council has now taken action to keep the personal data they use secure, it is vitally important that organisations have the correct guidance in place to keep sensitive paper records taken outside of the office safe. This includes storing papers containing sensitive information separately from laptops," he added.

In a statement Barnet Council said it was disappointed with the ruling as the data was stolen during a robbery.

"We obviously accept the ICO’s judgment but we are very disappointed that the Commissioner has fined the council in this instance," the statement said.

"This data loss was the result of a criminal act where a member of staff had their house broken into and material that was under lock and key was stolen. The ICO also accepts that it was appropriate for the member of staff to have this material at home for this period."

Meanwhile, the ICO website was today back online after battling a DDoS attack, said to have been launched by an Anonymous splinter group.

Sign up for our regular news round-up!

Give your business an edge with our leading Tech Monitor

Sign up