Merseyside council agrees to improve practices after social service records sent to the wrong address
15 Apr 2014 03:11 PM
A council in Merseyside
breached the Data Protection Act after social services records containing
sensitive personal information were sent to the wrong addresses on two
occasions
The information was disclosed by
Wirral Borough Council in February and April 2013. The records included
sensitive personal details relating to two families living in the borough and
in one case included details of a criminal offence committed by one of the
family members.
An investigation by the
Information Commissioner’s Office (ICO) found that the council had no
mandatory data protection training in place for staff and did not have adequate
checks in place to make sure records were being sent to the correct address.
Three other disclosure incidents have also been reported to the ICO
previously.
ICO Head of Enforcement, Stephen
Eckersley, said:
“While human error was a
factor in each of these cases, the council should have done more to keep the
information secure. Social workers routinely handle sensitive information and
Wirral Borough Council failed to ensure their staff received adequate training
on how to keep people’s information secure.
“We are pleased that the
council has now made its data protection training mandatory for all staff
following these incidents and has agreed to take further
action to address the underlying problems that led to these mistakes.
This includes ensuring that all staff complete the data protection training by
the end of June and adequate checks are in place to make sure sensitive records
are being sent to the right address.”
Today’s undertaking comes
after Wirral Borough Council signed an undertaking in June last
year to improve the timeliness of its FOI responses. The undertaking
came after concerns that the council was failing to respond to FOI requests
within the statutory deadline of 20 working days, or with a suitable extension
for complex requests. The council fulfilled the terms of this undertaking and
has improved its performance in this area.
Notes to
Editors
1. The Information
Commissioner’s Office upholds information rights in the public interest,
promoting openness by public bodies and data privacy for
individuals.
2. The ICO has specific
responsibilities set out in the Data Protection Act 1998, the Freedom of
Information Act 2000, Environmental Information Regulations 2004 and Privacy
and Electronic Communications Regulations 2003.
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a
monthly e-newsletter.
4. Anyone who processes personal
information must comply with eight principles of the Data Protection
Act, which make sure that personal information is:
- Fairly and lawfully
processed
- Processed for limited
purposes
- Adequate, relevant and not
excessive
- Accurate and up to
date
- Not kept for longer than is
necessary
- Processed in line with your
rights
- Secure
- Not transferred to other
countries without adequate protection
5. If you need more information,
please contact the ICO press office on 0303 123 9070.