Information Commissioner's Office
Printable version E-mail this to a friend

Adoptive parents’ details mistakenly sent to birth family in council data breach

The Information Commissioner’s Office (ICO) has yesterday served a monetary penalty of £70,000 to Halton Borough Council in Cheshire following a serious breach of the Data Protection Act.

The breach occurred on 25 May last year when a council employee sent a letter about an adopted child to the birth mother, and mistakenly included a covering letter giving details of the adoptive parents’ home address. The birth mother passed this information to her parents who had been trying to obtain access to their grandchild. Subsequently they wrote to the adoptive parents seeking contact.

At the time of the breach the employee involved was under the impression that adequate checks had already been carried out and the correspondence was simply for filing and distribution.

The ICO’s investigation concluded that the breach was caused by Halton Borough Council’s underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.

Steve Eckersley, ICO Head of Enforcement, said:

“It would be easy to dismiss this as a simple case of human error. The reality is that this incident happened because the organisation did not pay enough attention to how it handles vulnerable people’s sensitive information, leading to a mistake that was entirely avoidable had the right guidance and training been in place.

“The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that.”

Since the breach, Halton Borough Council has implemented a clear checklist of requirements before such correspondence can be distributed, together with a peer-checking process for work carried out by their staff.

The monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Commissioner.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection


Latest Report: AI, digital transformation, and vulnerable customers