Isle of Scilly Council ordered to review procedures following data incidents

10 Sep 2014 01:05 PM

The Information Commissioner’s Office (ICO) has ordered the Council of the Isle of Scilly to implement new data protection policies and training after two data breaches involving the disclosure of personal data. 

The first breach occurred in June 2013 when an attachment inadvertently included in an email revealed personal data related to a disciplinary hearing.

A further incident occurred in September 2013 involving two documents containing sensitive personal data, ending up in public circulation. Poor data sharing, including staff using personal email accounts and paper documents not being properly redacted meant details of an investigation into the conduct of a former head teacher were disclosed publicly.

ICO Head of Enforcement, Stephen Eckersley, said:

“Personal data must be handled securely and safely. The council has failed to do so and must now make immediate changes.

“The people of the Isles of Scilly need to be confident their council understands and complies with the law. Our undertaking will help ensure they do so.”

The council has agreed to implement mandatory data protection training, with refresher training to be updated regularly. They must also draft appropriate guidance on the safe transfer of personal data by email and consider the use of encryption. The council must also draft a redaction policy.

View the Isle of Scilly Council undertaking (pdf)

ENDS

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with your rights
• Secure
• Not transferred to other countries without adequate protection

5. If you need more information, please contact the ICO press office on 0303 123 9070