View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 31, 2012

ICO hands out record fine to Scottish council

Midlothian Council penalised for repeated breaches of the Data Protection Act

By Vinod

The Information Commissioner’s Office (ICO) has started 2012 with a bang by handing out a record fine to a council for repeated breaches of the Data Protection Act (DPA).

Following five data breaches that the ICO describes as "serious" it has fined Midlothian Council a record £140,000. The breaches involved the disclosure sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions.

The ICO investigation revealed that all five breaches could have been avoided if the Council had adequate data protection policies and training in place.

The first incident occurred in January 2011 but was not revealed until March. Worryingly further breaches occurred after this date. One incident involved papers relating to the status of a foster carer being sent to seven healthcare professionals not connected to the case.

A second case saw minutes of a child protection conference sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner, the ICO said.

"Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed," said Ken Macdonald, assistant commissioner for Scotland.

"The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure," he added.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The Council will update its existing data protection policies to include specific provisions for the handling of personal data, including making sure any outgoing letters are checked by another member of staff prior to being sent.

The ICO has been on somewhat of a roll with fines recently. In December 2011 it handed out what was at the time its heaviest ever penalty, fining Powys County Council in Wales £130,000 for sending details of a child protection case to the wrong recipient.

Just a few weeks before that it fined two councils for emailing highly sensitive information to the wrong recipients. Worcestershire County Council was fined £80,000 while North Somerset Council was ordered to pay £60,000.

There is also the potential for another huge penalty to be handed out – Brighton and Sussex University Hospitals NHS Trust is facing a potential fine of £375,000 after 232 hard drives containing sensitive patient information were stolen. It is however contesting the decision as it claims it was the victim of a crime rather than the guilty party.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.