The Information Commissioner’s Office (ICO) has confirmed it has fined Cheshire East Council a rather stiff £80,000 for failing to have adequate security measures in place when emailing personal information.
The fine was triggered because of a serious breach of the Data Protection Act, which occurred in May 2011.
According to the ICO, a council employee was asked to contact the local voluntary sector co-ordinator, to alert local voluntary workers to a police force’s concerns about an individual who was working in the area.
But the email contained the name and an alleged alias for the individual as well as information about the concerns the police had about him. This information was then forwarded by the co-ordinator to 100 intended recipients.
The real problem arose because the email did not have any clear markings or advice on how it was to be treated, and thus the recipients interpreted the wording of the message to mean that they, too, should forward the email to other voluntary workers. The email was therefore sent to 180 unsanctioned recipients.
“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed,” said Stephen Eckersley, the ICO’s Head of Enforcement.
“Cheshire East Council also failed to provide this particular employee with adequate data protection training,” he said. “The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.
“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data,” Eckersley added.
Earlier this week, the ICO fined two councils a total of £180,000 for failing to keep highly sensitive information about the welfare of children secure.
Croydon Council was handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex-abuse victim was stolen from a London pub. Norfolk County Council was also served with an £80,000 penalty for disclosing allegations against a parent and the welfare of their child to the wrong recipient.
Despite a slow start to issuing financial penalities in 2010, the ICO has been much busier of late, after it recently pledged to crack down on rule breakers in 2012. The Metropolitan Police admitted earlier this month to accidentally sharing over 1,000 email addresses of crime victims with other victims.
In January, Midlothian Council was fined £140,000 for disclosing sensitive personal data relating to children and their carers on five separate occasions.
Not all are accepting these fines. The Brighton and Sussex University Hospitals NHS Trust, for example, warned that it would appeal if it was fined £375,000, an amount specified by the ICO. This incident refers to hard disk drives, containing patient data, that were handed over to a registered contractor for destruction, only to end up for sale on eBay.
Under current legislation, the ICO has the power to issue a fine of up to £500,000 to organisations which have committed a serious breach of the Data Protection Act (DPA).
However, the ICO believes this is not enough and wants jail sentences, a stance backed by MPs on the Justice Committee, after they called for more severe penalties, including custodial sentences, to be imposed on those found guilty of breaching the Act.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Dear Sir,
Last week we saw the Information Commissioner move forward with the tough penalties he initially introduced last year around NHS data breaches with three councils receiving fines for separate cases of lost personal details totalling £180,000.
In these times of austerity, increasingly we’re seeing organisations pushing budgets to the limit, so much so that security is one of the first things that can get neglected, particularly as such functions have traditionally been perceived as costly.
This is a timely reminder of the type of risks that organisations can impose on themselves and their customers if the right precautions to protect information are not followed, and the mess organisations can get into if measures to detect such breaches are lax.
Data breaches are becoming a part of an everyday experience for many organisations. Clearly more needs to be done to get to the root of the problem and educate employees on the importance of data security, before we face a data breach with national consequences.
Kevin Norlin,
GM & VM (EMEA) Quest Software