ICO hits two councils with £140k penalties after email errors PDF Print E-mail
Monday, 28 November 2011 11:04

The Information Commissioner has slapped two local authorities with monetary fines worth a combined £140,000, saying he wanted to send “a clear message” to the social care sector.

The breaches of the Data Protection Act both involved the sending of emails containing sensitive information to unintended recipients.

The Information Commissioner, Christopher Graham, rounded on the local government sector for its "sloppiness", claiming that there was “too much of this sort of thing going on”.

Worcestershire County Council was hit with an £80,000 penalty after a member of staff emailed highly sensitive personal information about vulnerable people to 23 unintended recipients in March this year.

The individual had clicked on an additional contact list before sending the email, which was only intended for internal use.

According to the ICO, Worcestershire had:

  • failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists, and
  • failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

The employee realised they had made an error immediately and sought to contact the unintended recipients to ensure that the information was deleted.

“Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data,” the ICO said.

North Somerset Council has meanwhile been given a monetary penalty of £60,000. The ICO said that in this case, a member of staff sent five emails – two of which contained highly sensitive and confidential information about a child’s serious case review – to the wrong NHS employee.

The incidents took place during November and December 2010 and arose because the council's employee had selected the wrong email address when creating a personal distribution list.

Despite being told about the error by the unintended recipient, the employee continued to email information on a further three occasions.

Two Assistant Directors at North Somerset raised the issue with the employee on 9 December but later that day a fifth incident took place. The NHS organisation verbally confirmed to the local authority that it destroyed the emails after their own internal investigation was complete.

According to the ICO, North Somerset had some policies and procedures in place but had failed to ensure that relevant staff received appropriate data protection training. The watchdog has called on the council to adopt a more secure means to send information electorically, “including encryption and ensuring that managers sign off email distribution lists”.

Both Worcestershire and North Somerset have agreed to take remedial action.

Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Information Commissioner said that people who handled highly sensitive personal information needed to understand the real weight of responsibility that came with keeping it secure.

“Of course this includes having the correct training and policies in place, but it’s also about common sense," he said. "Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine.”

Graham added: “I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The penalties levied on Worcestershire and North Somerset bring the total of local authorities fined by the ICO to five. The other local authorities to have to pay out were Surrey County Council (£120,000), Hertfordshire County Council (£100,000), Ealing Council (£80,000) and Hounslow Council (£70,000).

The watchdog has been working on a business case to be submitted to the Ministry of Justice that would give it stronger powers to conduct compulsory audits of local authorities’ and NHS organisations’ data protection compliance.

See also: Privacy matters

Philip Hoult

 

Latest News

April 23, 2014

Minister stresses importance of overview and scrutiny in combined authorities

A government minister has written to the leaders of constituent and non-constituent councils in three recently-created combined authorities to highlight the importance of following good practice on overview and scrutiny. Read more
April 22, 2014

Pickles threatens five councils over alleged breaches of publicity code

The Communities Secretary has threatened five London councils with legal directions over alleged breaches of the Code of Recommended Practice on Local Authority Publicity. Read more
April 22, 2014

Justice Secretary hits out at "inappropriate" use of judicial review

Society is “too legalistic” and the legal system is being “exploited inappropriately by pressure groups with a political point to make”, the Justice Secretary has claimed. Read more
April 17, 2014

Met Police find "no credible evidence of criminality" in Tower Hamlets files

The Metropolitan Police has found “no credible evidence of criminality” within files it received about the London Borough of Tower Hamlets to provide reasonable grounds to suspect that fraud or any other offence has… Read more
April 16, 2014

ICO raps two councils after data breaches involving social services records

Two local authorities have given undertakings to the Information Commissioner’s Office after breaches of the Data Protection Act in relation to social services records. Read more
April 16, 2014

Council and Leader defeat £670k slander claim over childrens care homes

A High Court judge has dismissed a £670,000 claim for slander brought against a borough council and its leader by two companies that operate residential children’s care homes in its area. Read more
April 15, 2014

LGPS Advisory Board publishes QC opinion on tobacco investment

An administering authority for Local Government Pension Scheme (LGPS) funds may choose to take into account the public health implications of tobacco investment but only if the result of such consideration is the… Read more

 

Features

Dialogue iStock 000009191235XSmall 146X219
April 10, 2014

Consultation – backing no horses, and the importance of interim relief

David Hart QC looks at the lessons to be learned from a recent Court of Appeal ruling that a council had failed to consult properly on the closure of a day care centre. Read more
Money iStock 000008683901XSmall 146x219
April 02, 2014

Are local authorities bound by Ombudsman recommendations?

A High Court judge recently ruled that a council's decision to pay a developer only 20% of the £250,000 recommended by the Local Government Ombudsman was lawful. Nicholas Dobson analyses the case. Read more
April 02, 2014

The Duty of Candour - and general transparency

The Department of Health has published details of the proposed statutory Duty of Candour for health and adult social care providers, as well as a new general transparency duty. Corinne Slingo, Tracey Longfield and Belinda Dix examine the key points. Read more
April 02, 2014

Local authority control of charities - what are the limits?

The ties between a local authority and a charity were the subject of a recent Charity Commission report. Rachel Tonkin looks at the issues raised and the lessons to be learned. Read more
March 26, 2014

It's a sin to tell a lie

Jon Baines looks at the data protection issues raised by councils' use of voice risk analysis when benefit claimants are on the telephone. Read more
March 20, 2014

(Probably) the first group action for damages under the Data Protection Act

In December 2013 a group legal action was settled against a London borough following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, who acted for the claimants, explains the legal basis for the claims. Read more

 

 

Knowledge Bank

May 18, 2012

Managing in a Political Environment

Author: Nicholas Dobson, Freeth Cartwright This paper outlines the changing role of the local government lawyer in the context of the legal, political and constitutional framework of local government. This paper looks at the legal powers that underpin the role of local authorities, including the…
April 19, 2012

General Power of Confidence – ‘A New Hope’?

Author: Nicholas Dobson, Freeth Cartwright The general power of competence has been designed to give councils the confidence to act, using the power as their primary tool, without needing to refer back to central government. The question is: will the new power deliver?
March 27, 2012

Predetermination and Bias - Can Careless Talk Still Cost Decisions?

Author: Nicholas Dobson, Freeth Cartwright Ministers entered government much exercised about the law surrounding predetermination. In the opinion of some, this was a conspiracy by local government lawyers to undermine the democratic process. And they were going to have none of it! The 2010…
March 15, 2012

Recent developments in freedom of information

Author: Anya Proops, 11KBW The body of jurisprudence relating to freedom of information has continued to develop apace over the last year. The exponential growth in appeals being heard by both the first-tier and upper tribunals has meant that practitioners are having to work ever harder to keep…

Older news and features

March 26, 2014

It's a sin to tell a lie

Click here for full section archive

Wilkin Chapman Goolden

Featured Jobs

Harrogate Chief Solicitor


CLICK HERE to search all current vacancies

Featured Courses & Events

50% off LGLtv subscriptions

Sign up for Courses and Events Updates

* indicates required

Services v2

Yellow pages iStock 000009762383XSmall cropTo access details of individual advertisers, please click on the relevant banner below.

To search all entries in the Local Government Lawyer Services Directory, please click here

 

Howell Christie Ltd

 


 Shout_to_the_top_looking_left_iStock_000006002590XSmall_98x74 Latest Blog Posts

 

 


 

Ballot_iStock_000006080605XSmall_thumb

Snap Judgement

Is the role of monitoring officer worth the risk?