GLD Vacancies

Council sends abuse allegations to wrong address after Google Map search

Cheshire West and Chester Council has given an undertaking to the Information Commissioner’s Office after a number of data breaches including allegations of historic sexual abuse being sent to an incorrect address due to the address and postcode being obtained from a Google Map search.

The undertaking, which can be seen here, also revealed: the disclosure of an incorrect mobile phone number to an ex-partner of a data subject; and a data handling procedure, introduced following previous breaches, not being adhered to in some high risk areas as staff had not been made aware of it.

“Following investigations into those incidents, it was found that some staff members within these services had not received any data protection training at all,” the undertaking added.

The council agreed in February 2014 to an ICO audit, which took place in October 2014. This gave a limited assurance rating.

A number of concerns relating to staff training were identified. These were compounded by a series of self-reported incidents which the commissioner was advised of; the majority concerned disclosure in error cases and almost all involved staff who had not received data protection training. Some of the individuals were temporary agency workers.

The ICO’s subsequent investigations found that its recommendations had not been implemented fully. “The Commissioner’s investigation identified the general uptake of data protection training across Cheshire West and Chester Council was unsatisfactory with considerable discrepancies in the uptake of training between different service areas,” the watchdog said.

The further data breaches in relation to the historic sexual abuse, the incorrect mobile phone number and the data handling procedure all took place after this point.

The ICO said the level of Cheshire West and Chester’s overall organisational compliance with mandatory data protection training had fluctuated significantly over the last two years.

“The latest organisational data protection training compliance figure for the year ended 2016/2017 was 61% overall, with much lower than expected attainment figures evidenced in some high risk areas such as Children and Family Services and Adult Social Care and Health,” the watchdog added.

In the undertaking the council agreed that as data controller:

  • It shall conduct a risk based training needs analysis for all roles within the organisation to ascertain the level of data protection awareness required for the role, and the frequency at which the individual should receive refresher training to ensure they are reminded of their obligations in order to prevent further security incidents. This analysis should also consider whether the training should be tailored for specific roles, and should be completed within six months of the date of the undertaking.
  • It shall deliver mandatory data protection training in relation to both the requirements of the Act and the council’s policies and guidance to all employees whose role involves the handling of personal data, as identified in the training needs analysis and regardless of their contractual status. This process should be completed within six months.
  • It shall ensure that all new members of staff, responsible for the handling of personal data are given appropriate data protection training commensurate with their role upon induction.
  • It shall ensure that mandatory refresher data protection training is undertaken at the intervals identified and as set out in the training needs analysis; such training to be refreshed annually as a minimum.
  • It shall ensure that mandatory data protection and refresher training is monitored and enforced.

Gerald Meehan, Chief Executive at Cheshire West and Chester Council, said: "The council is responsible for managing and maintaining huge amounts of personal information and we take data protection extremely seriously. I must therefore apologise that on a small number of occasions due to human error, we have fallen short of the high expectations rightly placed upon us.

"I would like to reassure everyone that we are proactively working with the Information Commissioner’s Office to put in place the actions put forward to keep personal data safe and to minimise the risk of similar incidents happening again."

Meehan added: "Data protection training is now a mandatory requirement for all staff including temporary and agency workers and new compliance monitoring systems will be implemented to measure the effectiveness of this training and to ensure everyone has completed it. Mandatory refresher training will also be provided.

"We already have the relevant policies and procedures in place to ensure compliance with the Data Protection Act (1998) and we are preparing for the new General Data Protection Regulations (GDPR) coming into effect in May 2018."