Wolverhampton Council must take better care of people's information
29 May 2014 03:52 PM
The Information
Commissioner’s Office (ICO) has ordered Wolverhampton City Council to
provide adequate data protection training for its staff following a series of
warnings dating back over two years.
The enforcement action follows
an investigation into a data breach at the council that occurred in January
2012. The breach was caused when a social worker, who had not received data
protection training, sent out a report to a former service user detailing their
time in care. However, the social worker failed to remove highly sensitive
information about the recipient’s sister that should not have been
included.
On 20 December 2011, just before
the breach, the ICO had completed an audit with the council. The audit
recommended the council introduce a data protection policy, explaining how
people’s information should be kept secure. It also recommended the
council should provide mandatory staff training so that the policy was
followed.
The policy was introduced in May
2013 with mandatory training for all staff scheduled to be completed by the end
of February this year. However, the ICO has discovered the council has failed
to meet this deadline with two thirds of the council’s staff (68%) still
having not undertaken the training.
The council must now make sure
the training is provided to all staff within 50 days, or the matter will be
treated as contempt of court.
ICO Head of Enforcement, Stephen
Eckersley, said:
“The lack of urgency
displayed by Wolverhampton City Council is startling. Over two years ago, we
reviewed the council’s practices and highlighted the need for guidance
and mandatory training to help its staff keep residents’ information
secure.
“Despite numerous warnings
the council has failed to act, with over two thirds of its staff still
remaining untrained. We have taken positive steps and acted before this
situation is allowed to continue any longer and more people’s personal
information is lost.”
View a PDF of the Wolverhampton Council enforcement
notice
Notes to
Editors
1. The Information
Commissioner’s Office upholds information rights in the public interest,
promoting openness by public bodies and data privacy for
individuals.
2. The ICO has specific
responsibilities set out in the Data Protection Act 1998, the Freedom of
Information Act 2000, Environmental Information Regulations 2004 and Privacy
and Electronic Communications Regulations 2003.
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a
monthly e-newsletter.
4. Anyone who processes personal
information must comply with eight principles of the Data Protection
Act, which make sure that personal information is:
- Fairly and lawfully
processed
- Processed for limited
purposes
- Adequate, relevant and not
excessive
- Accurate and up to
date
- Not kept for longer than is
necessary
- Processed in line with your
rights
- Secure
- Not transferred to other
countries without adequate protection
5. If you need more information,
please contact the ICO press office on 0303 123 9070.