North West council fined £70k after data breach relating to adopted child

A council in the North West has become the latest local authority to be fined by the Information Commissioner’s Office after a data breach in its social services team.

The ICO imposed a £70,000 monetary penalty on Halton Borough Council after in May 2012 a grade 2 clerical officer mistakenly sent details of the home address of adoptive parents to the birth mother.

The mother gave the details to her parents who were seeking to gain access to their grandchild.

The grandparents then wrote to the adoptive parents seeking contact. They later made an application to the court for direct contact, which was refused following two hearings.

The judge expressed concern that the grandparents had been able to make contact, and ordered them to sign undertakings that they would not contact their grandchild or the adoptive parents other than through Halton’s ‘letterbox’ procedure.

This procedure is intended to prevent each side from knowing the contact details of the other.

The Halton BC employee who sent the letter believed that any checks needed by social workers had already been carried out and the correspondence was simply for filing and distribution.

The council voluntarily reported the matter to the ICO when it became aware of the breach.

An ICO investigation concluded that the breach was caused by Halton’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff”.

Following the breach, Halton has introduced a checklist of requirements before correspondence of this type can be distributed. A peer-checking process for work carried out has also been put in place.

In setting the level of the penalty, the ICO noted in particular the fact that the grandparents had written to the adoptive parents and made contact in circumstances which were considered by the court to be inappropriate and required formal undertakings to prevent future similar contact.

Steve Eckersley, ICO Head of Enforcement, said: “It would be easy to dismiss this as a simple case of human error. The reality is that this incident happened because the organisation did not pay enough attention to how it handles vulnerable people’s sensitive information, leading to a mistake that was entirely avoidable had the right guidance and training been in place.

“The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that.”

A spokesman for Halton Borough Council said: “Once we were aware of the error we immediately reported it to the Commissioner. Processes have been reviewed and measures put in place to prevent something like this happening again.

“We have apologised to those concerned and we acknowledge the decision of the Commissioner.”