WIREDGOV

The Information Commissioner’s Office (ICO) has criticised local government’s attitude towards protecting personal data, after four local councils were issued civil monetary penalties.

Leeds City Council was served a monetary penalty of £95,000, Plymouth City Council £60,000 and Devon County Council £90,000 after separate incidents saw details of child care cases sent to the wrong recipients, while the London Borough of Lewisham was issued a penalty of £70,000 after social work papers were left on a train.

The penalties mean that nineteen local councils have now received monetary penalties for breaching the Data Protection Act, totalling £1,885,000.

Leeds City Council
The case in Leeds saw sensitive personal details about a child in care sent to the wrong person, revealing details of a criminal offence, school attendance and information about the child’s relationship with their mother.

When sending internal mail, the council re-use envelopes that have been used for external mail. But in this case the external address wasn’t crossed out, and so the sensitive file was posted to someone who had nothing to do with this case.

More details can be found in the final penalty notice.

Plymouth City Council
The breach at Plymouth City Council followed a similar pattern, with information passed to the wrong recipient including highly sensitive personal information about two parents and four children, notably allegations of child neglect relating to ongoing care proceedings.

The breach occurred when two reports about separate child neglect cases were sent to the same shared printer. Three pages from the first report were mistakenly collected with the papers from the second case, and so were handed to the wrong family.

More details can be found in the final penalty notice.

Devon County Council
In Devon, a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.

The mistake revealed personal data of 22 people, including details of alleged criminal offences and mental and physical health.

More details can be found in the final penalty notice.

London Borough of Lewisham
In Lewisham, a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on.

The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.

More details can be found in the final penalty notice.

Information Commissioner Christopher Graham said:

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent.  The same powers are sought for NHS bodies across the UK following a series of data protection breaches in the health sector.

You can see details of the councils who have been issued with civil monetary penalties at: http://www.ico.gov.uk/enforcement/fines.aspx. All monetary penalties are paid into the Treasury’s Consolidated Fund and are not kept by the Commissioner.

Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
 
3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. Our For the media page provides more information for journalists.
 
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is: