ICO warns councils over home working by social services employees
A city council has been fined £100,000 by the Information Commissioner’s Office after information on social services involvement with a number of individuals was published online.
According to the ICO, the information released by Aberdeen City Council as a result of a data breach included details relating to the care of vulnerable children.
The breach occurred after a council employee – who was authorised to access data relevant to her job remotely – accessed documents from her home computer. A file transfer program installed on the machine automatically uploaded four documents to a website.
These were: the minute of a core group meeting held in relation to a child; a LAAC Review minute; a child’s plan; and a transfer summary. They contained sensitive information about several vulnerable children and their families, including details of alleged criminal offences.
The employee told the council that the computer was second hand and must have had the auto-upload program installed on it by a previous owner.
The ICO said the files were uploaded between 8 and 14 November 2011 and remained available online until 15 February 2012.
The issue came to light when another member of staff spotted the documents after carrying out an online search linked to their own name and job title.
Aberdeen City Council was informed and the original documents were removed within four hours, before the incident was reported to the ICO.
A national newspaper became aware of the incident and published a story on the breach. However, the article did not identify any of the data subjects.
The watchdog’s investigation found that Aberdeen had no relevant home working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network.
Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said: “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.
“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months.”
Macdonald said: “We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch.”