June 20, 2011
The Information Commissioner’s Office (ICO) has fined Surrey County Council £120,000 for a serious breach of the Data Protection Act, after a series of issues involving the mishandling of personal information.
On three separate occasions, emails containing sensitive data were sent to unintended recipients. In the most serious offence, a member of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address, including taxi firms and mini bus hire services.
“This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough,” said Christopher Graham, UK Information Commissioner.
“But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.
“Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
Do you have systems in to protect sensitive data? Seek advice on meeting your requirements under the Data Protection Act before it’s too late.
