Local authorities fined by ICO for data protection breaches

Updated January 2012

The Information Commissioner's Office (ICO) has taken action against three local authorities that lost sensitive personal data from their social services departments. One of the fines imposed is the largest fine to date issued by the ICO.

Worcestershire County Council was penalised for its actions in March 2011, when one of its employees e-mailed sensitive personal data concerning a large number of vulnerable people to 23 unintended external recipients. The error was caused by the individual in question adding an additional contact list to an e-mail by mistake. An ICO investigation into the incident found that Worcestershire County Council had failed to provide its members of staff with adequate training in data protection. However, the ICO was made aware that the employee in question had realised the mistake straight away, and had taken action to contact the unintended recipients and ask that the sensitive data be deleted. As a result of this incident, and taking the above factors into account, Worcestershire County Council was fined £80,000 by the Information Commissioner's Office.

The second council who were found to have committed a serious breach of the Data Protection Act (North Somerset) also faced a sanction from the ICO in the form of a £60,000 fine. This was as a result of one its employees having sent a series of e-mails concerning a sensitive child welfare case to the wrong NHS employee. The ICO found that the council employee had been notified of this error shortly after the first e-mail had been sent, but had continued to send further e-mails despite this warning. Although North Somerset Council had some data protection policies and procedures in place, the ICO recommended that further training would be needed to relevant members of staff, and that the council should adopt a more secure method of sending information electronically.

The largest fine was imposed on Powys County Council, which was served with a monetary penalty of £130,000. As with the fine imposed on North Somerset Council, this was another instance of the details of a child protection case being sent to the wrong recipient. The high level of the fine in this instance was a result of Powys County Council having reported an almost identical data protection breach to the ICO in June 2010, and having failed to act on the ICO's recommendations following that case. The ICO warned Powys County Council that if it continued to commit serious breaches of the Data Protection Act, it would face further action.

The above incidents illustrate the importance of taking appropriate steps to comply with the Data Protection Act, particularly if your organisation handles sensitive personal data. It is recommended that organisations review their data protection training and policies to ensure that members of staff who handle sensitive personal data understand the need to keep data secure and to ensure that there are clear guidelines in place in relation to the transmission of sensitive personal data to third parties.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at January 2012. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.