View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 28, 2011

ICO flexes its muscles with Council fines

Two Councils sent sensitive information via email... to the wrong recipients

By Steve Evans

After a long run of warnings, criticisms and making sure organisations agree to improve their data protection practices, the Information Commissioner’s Office (ICO) has decided to fine two county Councils for serious breaches of the data protection act (DPA).

In both cases the Councils emailed highly sensitive information to the wrong recipients.

In the first case, a worker at Worcestershire County Council sent information about a large number of vulnerable people to 23 unintended recipients.

The ICO says the error occurred when the worker clicked on an additional contact list before the email was sent. The contact list was intended for internal use only, the ICO said.

Worcestershire County Council has been fined £80,000 over the incident, which occurred in March 2011.

The Council was criticised for its failure to adequately train workers about using personal data and distinguishing between external and internal email distribution lists. Luckily those who accidentally received the sensitive information were all registered organisations used to dealing with sensitive information. The email error was also caught early and the worker contacted all recipients to ask them to delete the emails, the ICO said.

The second case involved North Somerset Council. According to the ICO the Council sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee. Email distribution lists were again at the root of the problem, as an employee had entered the wrong email address in prior to sending.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Although the recipient notified the sender of their error, the mistake was repeated three more times, the ICO said. The issue was then raised with senior management and the employee but incredibly a fifth and final email was sent to the wrong person later that same day.

The NHS confirmed that the emails had been destroyed.

The Council was fined £60,000 over the incident. According to the ICO the Council did in fact have procedures in place for handling sensitive data but staff were not adequately trained. The ICO has also suggested the Council should ensure senior managers sign off email distribution lists.

"Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable," said Information Commissioner Christopher Graham. "It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils."

"It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties," he added.

Graham added that this issue is too widespread for comfort. "There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense."

"Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you," he warned.

These fines represent the seventh and eighth occasions the ICO has issued a monetary penalty for failure to adhere to the data protection act. The biggest fine to date stands at £120,000, handed out to Surrey County Council after it also emailed sensitive information to the wrong recipients.

Other fines have been handed out to Worcestershire County Council, ACS:Law solicitor Andrew Jonathan Crossley, Ealing Council, Hounslow Council, employment services company A4e and Hertfordshire County Council.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.