ICO hits two councils with £140k penalties after email errors

The Information Commissioner has slapped two local authorities with monetary fines worth a combined £140,000, saying he wanted to send “a clear message” to the social care sector.

The breaches of the Data Protection Act both involved the sending of emails containing sensitive information to unintended recipients.

The Information Commissioner, Christopher Graham, rounded on the local government sector for its "sloppiness", claiming that there was “too much of this sort of thing going on”.

Worcestershire County Council was hit with an £80,000 penalty after a member of staff emailed highly sensitive personal information about vulnerable people to 23 unintended recipients in March this year.

The individual had clicked on an additional contact list before sending the email, which was only intended for internal use.

According to the ICO, Worcestershire had:

• failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists, and
• failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

The employee realised they had made an error immediately and sought to contact the unintended recipients to ensure that the information was deleted.

“Fortunately, on this occasion all of the unintended recipients worked for registered organisations used to operating within the council’s protocols about handling sensitive data,” the ICO said.

North Somerset Council has meanwhile been given a monetary penalty of £60,000. The ICO said that in this case, a member of staff sent five emails – two of which contained highly sensitive and confidential information about a child’s serious case review – to the wrong NHS employee.

The incidents took place during November and December 2010 and arose because the council's employee had selected the wrong email address when creating a personal distribution list.

Despite being told about the error by the unintended recipient, the employee continued to email information on a further three occasions.

Two Assistant Directors at North Somerset raised the issue with the employee on 9 December but later that day a fifth incident took place. The NHS organisation verbally confirmed to the local authority that it destroyed the emails after their own internal investigation was complete.

According to the ICO, North Somerset had some policies and procedures in place but had failed to ensure that relevant staff received appropriate data protection training. The watchdog has called on the council to adopt a more secure means to send information electorically, “including encryption and ensuring that managers sign off email distribution lists”.

Both Worcestershire and North Somerset have agreed to take remedial action.

Christopher Graham, said: “Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils.

“It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.”

The Information Commissioner said that people who handled highly sensitive personal information needed to understand the real weight of responsibility that came with keeping it secure.

“Of course this includes having the correct training and policies in place, but it’s also about common sense," he said. "Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine.”

Graham added: “I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

The penalties levied on Worcestershire and North Somerset bring the total of local authorities fined by the ICO to five. The other local authorities to have to pay out were Surrey County Council (£120,000), Hertfordshire County Council (£100,000), Ealing Council (£80,000) and Hounslow Council (£70,000).

The watchdog has been working on a business case to be submitted to the Ministry of Justice that would give it stronger powers to conduct compulsory audits of local authorities’ and NHS organisations’ data protection compliance.

See also: Privacy matters

Philip Hoult