ICO hits Surrey County Council with record penalty for data protection breach

The Information Commissioner's Office has hit Surrey County Council with the highest monetary penalty levied on a local authority so far for breaching the Data Protection Act.

The ICO issued the council with a £120,000 penalty after sensitive information was emailed to the wrong recipients on three separate occasions.

According to the watchdog, the first incident “and most significant” of the three, took place on 17 May 2010. This saw a member of staff working for one of Surrey’s adult social care teams email a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.

The group email address included a large number of transportation companies, including taxi firms, coach and mini bus hire services. “The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it,” the ICO reported. “As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.”

The second incident occurred on 22 June 2010. This saw confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, the ICO said, registered to receive a council newsletter.

On 21 January 2011, Surrey’s children services department sent confidential sensitive information, which included data relating to an individual’s health, to the wrong internal group email address. The ICO acknowledged that the data did not leave the local authority’s network, but said the breach led to sensitive data being circulated to individuals who should not have received it.

The ICO said the size of the penalty “recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information”.

Surrey is the fourth local authority to have been hit with a substantial monetary penalty by the ICO for breach of the Data Protection Act since the watchdog was handed new powers in April 2010. The other councils are Hertfordshire County Council (£100,000), Ealing Council (£80,000) and Hounslow Council (£70,000).

The Information Commissioner, Christopher Graham, said: “This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”

He added: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”

The ICO said Surrey had now taken action to improve its policies on information security, such as the development of an early warning system which alerts staff when sensitive information is being sent to an external email address. The authority has also improved staff training and is to ensure that group email addresses are clearly identifiable.

In an interview with Local Government Lawyer in March, Deputy Information Commissioner Graham Smith defended the size of monetary penalties being levied on the public sector. He also rejected claims that the public sector was a soft target compared to the private sector.

Philip Hoult