Information Commissioner's Office
Printable version E-mail this to a friend

‘Entirely avoidable’ loss of sensitive children’s records leads to penalty for London charity

A social care charity has been served a monetary penalty of £70,000 after highly sensitive information about the care of four young children was lost after being left outside a London home, the Information Commissioner’s Office (ICO) announced yesterday.

A social worker, who worked for Norwood Ravenswood Ltd, left the detailed reports at the side of the house on 5 December 2011 after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered.

The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.

Stephen Eckersley, Head of Enforcement at the ICO, said:

“We have warned the charity sector that they must have thorough policies and procedures in place to keep the often sensitive information they handle secure. We do not want to be issuing monetary penalties to charities, but in this case the seriousness of the breach left us with little choice.

“The children involved in this case were no more than 6 years old and now they are in a situation where their most sensitive details could be in the hands of a complete stranger. The fact that the social worker had received no training while working at the charity, on how to look after what is extremely sensitive information, is truly staggering. This breach was entirely avoidable.

“We are pleased that Norwood Ravenswood Ltd has now taken action to keep personal information secure. We hope that this breach acts as a warning to all charities that they must fulfil their legal requirements under the Data Protection Act by handling people’s information correctly. We will be happy to provide advice and guidance on how best to achieve this.”

A copy of yesterday's monetary penalty served on Norwood Ravenswood Ltd is available in the Taking action section of the ICO website.

In August the ICO warned charities that they were potentially more susceptible to a serious data breach as they will often be handling sensitive information, such as that relating to an individual’s health. The ICO advises any charities that require further support to sign up for a free advisory visit to improve their compliance.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

4. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.