Hot on the heels of fining two Councils for breaching the data protection act (DPA), the Information Commissioner’s Office (ICO) has now handed out its biggest monetary penalty to date, to Powys County Council in Wales.
The Council has been fined £130,000 for sending details of a child protection case to the wrong recipient. This followed a similar incident that was reported to the ICO in June of last year.
The incident that tipped the ICO over the edge came in February this year when documents relating to two separate child protection cases were sent to the same printer. The ICO believes pages from the two reports became mixed up and were sent out without being checked.
The recipient of the wrong information knew the mother and child involved in the case and made a complaint to the Council.
The earlier incident, which took place in June 2010, involved the same recipient receiving the wrong papers. Once again, the recipient knew the child involved in the case.
At that time the ICO investigated and told the Council to tighten up its security measures. The Council was also warned that any repeat breach of the DPA would result in further action.
Assistant Commissioner for Wales Anne Jones said the seriousness of the incident mean the ICO felt it appropriate to hand out a record fine.
"The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations," she said.
"The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts," Jones added.
The ICO has served a legal notice on the Council that states all staff must be trained in how to follow guidelines for looking after personal data by 31 March 2012. Refresher training will be provided every three years, the ICO said.
Anne Jones added that the regularity of data breaches at social services departments across the UK is causing the ICO some concern, and that they will be looking into improving data handling practices.
"There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems," she said.
The ICO recently fined both Worcestershire County Council and North Somerset Council for serious breaches of the DPA, when sensitive information was emailed to the wrong recipient. The fines in those cases were £80,000 and £60,000 respectively.
