The Information Commissioner’s Office (ICO) has started 2012 with a bang by handing out a record fine to a council for repeated breaches of the Data Protection Act (DPA).
Following five data breaches that the ICO describes as "serious" it has fined Midlothian Council a record £140,000. The breaches involved the disclosure sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions.
The ICO investigation revealed that all five breaches could have been avoided if the Council had adequate data protection policies and training in place.
The first incident occurred in January 2011 but was not revealed until March. Worryingly further breaches occurred after this date. One incident involved papers relating to the status of a foster carer being sent to seven healthcare professionals not connected to the case.
A second case saw minutes of a child protection conference sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner, the ICO said.
"Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed," said Ken Macdonald, assistant commissioner for Scotland.
"The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure," he added.
The Council will update its existing data protection policies to include specific provisions for the handling of personal data, including making sure any outgoing letters are checked by another member of staff prior to being sent.
The ICO has been on somewhat of a roll with fines recently. In December 2011 it handed out what was at the time its heaviest ever penalty, fining Powys County Council in Wales £130,000 for sending details of a child protection case to the wrong recipient.
Just a few weeks before that it fined two councils for emailing highly sensitive information to the wrong recipients. Worcestershire County Council was fined £80,000 while North Somerset Council was ordered to pay £60,000.
There is also the potential for another huge penalty to be handed out – Brighton and Sussex University Hospitals NHS Trust is facing a potential fine of £375,000 after 232 hard drives containing sensitive patient information were stolen. It is however contesting the decision as it claims it was the victim of a crime rather than the guilty party.