The Information Commissioner’s Office (ICO) has fined Surrey County Council £120,000 for breaching the Data Protection Act by emailing sensitive personal information to the wrong recipients on three separate occasions. The fines are the biggest handed out to date.

The first incident took place back in May 2010 when, according to the ICO, a member of the Council’s staff emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong email list.

The recipients included taxi firms, coach and mini bus hire services. The council attempted to recall the email but was unable to confirm that all the recipients had destroyed it. The sensitive details were not encrypted or even password protected.

That was followed by a similar incident in June last year, when confidential personal data relating to a number of individuals was sent to over 100 members of the public that had actually signed up to receive a council newsletter.

The third and final breach came in January this year. The Council’s Children Services department sent an email containing data relating to an individual’s health to the wrong email list. Although it was sent to an internal group, and therefore didn’t leave the corporate network, it was still viewed by workers who should not have seen the information, the ICO said.

The size of the fine represents the fact that not only was the breach potentially very serious, the Council failed to learn the lesson after the first incident, Christopher Graham, UK Information Commissioner said.

"This significant penalty fully reflects the seriousness of the case," he said in a statement. "The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late."

This is the sixth occasion the ICO has imposed a fine on an organisation for breaching the Data Protection Act since being granted the power to do so in April 2010. First up was a £100,000 fine for Hertfordshire County Council after it faxed sensitive information relating to child abuse to the wrong recipient. At the same time employment services company A4e was fined £60,000 for losing an unencrypted laptop containing personal information.

Ealing Council and Hounslow Council were the fined £80,000 and £70,000 respectively for losing unencrypted laptops containing sensitive personal information. Most recently ACS:Law solicitor Andrew Crossley was fined £1,000 following an attack by online activists Anonymous which exposed personal details of 6,000 people his company was accusing of downloading content without paying for it.

"Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated," Graham added.