December 19, 2011
North Somerset and Worcestershire County councils have been issued severe penalties after the Information Commissioner’s Office (ICO) found that staff at both authorities sent highly sensitive personal information to the wrong recipients.
In March 2011, a member of staff at Worcestershire County Council emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The employee reportedly clicked on an additional contact list before sending the email, which had only been intended for internal use. As a result, the ICO served a monetary penalty of £80,000.
North Somerset Council was also fined £60,000 for similar breaches of the Data Protection Act when an employee sent five emails, two of which contained highly sensitive and confidential information about a child’s serious case review, to the wrong NHS employee.
“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable,” said Information Commissioner, Christopher Graham, said. “It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.
"Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”
The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS.
