ICO hits two councils with £140k penalties after email errors PDF Print E-mail
Monday, 28 November 2011 11:04

The Information Commissioner has slapped two local authorities with monetary fines worth a combined £140,000, saying he wanted to send “a clear message” to the social care sector.

The breaches of the Data Protection Act both involved the sending of emails containing sensitive information to unintended recipients.

The Information Commissioner, Christopher Graham, rounded on the local government sector for its "sloppiness", claiming that there was “too much of this sort of thing going on”.

Worcestershire County Council was hit with an £80,000 penalty after a member of staff emailed highly sensitive personal information about vulnerable people to 23 unintended recipients in March this year.

The individual had clicked on an additional contact list before sending the email, which was only intended for internal use.

According to the ICO, Worcestershire had:

  • failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists, and
  • failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

The employee realised they had made an error immediately and sought to contact the unintended recipients to ensure that the information was deleted.

“Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data,” the ICO said.

North Somerset Council has meanwhile been given a monetary penalty of £60,000. The ICO said that in this case, a member of staff sent five emails – two of which contained highly sensitive and confidential information about a child’s serious case review – to the wrong NHS employee.

The incidents took place during November and December 2010 and arose because the council's employee had selected the wrong email address when creating a personal distribution list.

Despite being told about the error by the unintended recipient, the employee continued to email information on a further three occasions.

Two Assistant Directors at North Somerset raised the issue with the employee on 9 December but later that day a fifth incident took place. The NHS organisation verbally confirmed to the local authority that it destroyed the emails after their own internal investigation was complete.

According to the ICO, North Somerset had some policies and procedures in place but had failed to ensure that relevant staff received appropriate data protection training. The watchdog has called on the council to adopt a more secure means to send information electorically, “including encryption and ensuring that managers sign off email distribution lists”.

Both Worcestershire and North Somerset have agreed to take remedial action.

Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Information Commissioner said that people who handled highly sensitive personal information needed to understand the real weight of responsibility that came with keeping it secure.

“Of course this includes having the correct training and policies in place, but it’s also about common sense," he said. "Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine.”

Graham added: “I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The penalties levied on Worcestershire and North Somerset bring the total of local authorities fined by the ICO to five. The other local authorities to have to pay out were Surrey County Council (£120,000), Hertfordshire County Council (£100,000), Ealing Council (£80,000) and Hounslow Council (£70,000).

The watchdog has been working on a business case to be submitted to the Ministry of Justice that would give it stronger powers to conduct compulsory audits of local authorities’ and NHS organisations’ data protection compliance.

See also: Privacy matters

Philip Hoult

 

Latest News

April 15, 2014

LGPS Advisory Board publishes QC opinion on tobacco investment

An administering authority for Local Government Pension Scheme (LGPS) funds may choose to take into account the public health implications of tobacco investment but only if the result of such consideration is the… Read more
April 15, 2014

Judgment reserved in case over disqualification of councillor and free speech

The High Court has reserved judgment in a case where a councillor in Wales has sought to challenge – on the basis of his right to free expression as an elected politician – his disqualification for two-and-a-half years. Read more
April 14, 2014

MPs take Government bodies to task over poor complaints handling

Government as a whole cannot be said to be complying with best practice in complaints handling or adapting to the needs and expectations of today’s citizen, the Public Administration Select Committee (PASC) has said. Read more
April 11, 2014

Welsh councils broke data protection laws "twice as often in 2013": BBC

The 22 councils in Wales broke data protection laws twice as often last year as they did in 2012, BBC Wales has said. Read more
April 09, 2014

Failure to pass on funding could see parishes bring legal action: NALC

Some parish councils are “being left with no other choice” but to consider legal action over the failure of 17 authorities to pass on funding intended to mitigate the impact of localised council tax support schemes on… Read more
April 09, 2014

High Court challenge over 'pre-ticking' electoral registration forms ends

Legal proceedings over the practice of electoral registration officers (EROs) ‘pre-ticking’ the annual electoral registration canvass form have come to an end. Read more
April 08, 2014

Kent Legal Services co-publishes guide to legal powers and duties

Kent Legal Services and esd-toolkit have published guidance on the legal powers and duties of local and fire authorities in England and Wales. Read more

 

Features

Money iStock 000008683901XSmall 146x219
April 02, 2014

Are local authorities bound by Ombudsman recommendations?

A High Court judge recently ruled that a council's decision to pay a developer only 20% of the £250,000 recommended by the Local Government Ombudsman was lawful. Nicholas Dobson analyses the case. Read more
Data inspection iStock 000008204804XSmall 146x219
April 02, 2014

The Duty of Candour - and general transparency

The Department of Health has published details of the proposed statutory Duty of Candour for health and adult social care providers, as well as a new general transparency duty. Corinne Slingo, Tracey Longfield and Belinda Dix examine the key points. Read more
April 02, 2014

Local authority control of charities - what are the limits?

The ties between a local authority and a charity were the subject of a recent Charity Commission report. Rachel Tonkin looks at the issues raised and the lessons to be learned. Read more
March 26, 2014

It's a sin to tell a lie

Jon Baines looks at the data protection issues raised by councils' use of voice risk analysis when benefit claimants are on the telephone. Read more
March 20, 2014

(Probably) the first group action for damages under the Data Protection Act

In December 2013 a group legal action was settled against a London borough following breaches of the Data Protection Act 1998 and the Human Rights Act 1998. Anna Thwaites, who acted for the claimants, explains the legal basis for the claims. Read more
March 20, 2014

The Inquiries Act 2005 - fit for purpose?

This month saw the publication of a Lords select committee report on the law and practice relating to public inquiries into matters of public concern and, in particular, the Inquiries Act 2005. Emma Ireton looks at the findings and recommendations. Read more

 

 

Knowledge Bank

May 18, 2012

Managing in a Political Environment

Author: Nicholas Dobson, Freeth Cartwright This paper outlines the changing role of the local government lawyer in the context of the legal, political and constitutional framework of local government. This paper looks at the legal powers that underpin the role of local authorities, including the…
April 19, 2012

General Power of Confidence – ‘A New Hope’?

Author: Nicholas Dobson, Freeth Cartwright The general power of competence has been designed to give councils the confidence to act, using the power as their primary tool, without needing to refer back to central government. The question is: will the new power deliver?
March 27, 2012

Predetermination and Bias - Can Careless Talk Still Cost Decisions?

Author: Nicholas Dobson, Freeth Cartwright Ministers entered government much exercised about the law surrounding predetermination. In the opinion of some, this was a conspiracy by local government lawyers to undermine the democratic process. And they were going to have none of it! The 2010…
March 15, 2012

Recent developments in freedom of information

Author: Anya Proops, 11KBW The body of jurisprudence relating to freedom of information has continued to develop apace over the last year. The exponential growth in appeals being heard by both the first-tier and upper tribunals has meant that practitioners are having to work ever harder to keep…

Older news and features

March 26, 2014

It's a sin to tell a lie

February 20, 2014

Searching for an answer

Click here for full section archive

Wilkin Chapman Goolden

Featured Jobs

Assistant Solicitor


CLICK HERE to search all current vacancies

Featured Courses & Events

Sign up for Courses and Events Updates

* indicates required

Services v2

Yellow pages iStock 000009762383XSmall cropTo access details of individual advertisers, please click on the relevant banner below.

To search all entries in the Local Government Lawyer Services Directory, please click here

 

Howell Christie Ltd

 


 Shout_to_the_top_looking_left_iStock_000006002590XSmall_98x74 Latest Blog Posts

 

 


 

Ballot_iStock_000006080605XSmall_thumb

Snap Judgement

Is the role of monitoring officer worth the risk?