WiredGov Newswire (news from other organisations)
Printable version | E-mail this to a friend |
ICO - Powys County Council fined £130,000 for disclosing child protection case details
The Information Commissioner's Office (ICO) has yesterday served a monetary penalty of £130,000 to Powys County Council for a serious breach of the Data Protection Act where the details of a child protection case were sent to the wrong recipient. The penalty is the highest that the ICO has served since it received the power in April 2010 and follows a less serious, but similar incident, which was reported by the council to the ICO in June last year.
The latest breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.
The breach followed a similar incident - which was reported to the ICO in June 2010 – when a social worker sent information relating to a vulnerable child to the same recipient. The child named in the report was again known to the recipient. After making enquiries, the ICO highlighted the need for the council to introduce mandatory training and to tighten up its security measures. The ICO also warned the council that further action would be taken if a similar incident occurred again.
Assistant Commissioner for Wales, Anne Jones said:
“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.
“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”
The enforcement notice that the ICO has served places a legal requirement on the authority to make further improvements to its data protection practices. The notice requires that all staff must be trained on how to follow the council’s guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.
The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK following a series of data protection breaches.
Read more about the action we've taken
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
4. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.
5. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press