The Information Commissioner’s Office (ICO) has imposed a monetary penalty of £140,000 on Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland.
The five serious data breaches – all involving children’s social service reports being sent to the wrong recipients – occurred between January and June 2011. One of them happened when papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information. In another case, minutes of a child protection conference were sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother, who made a complaint to her social worker about this incident.
The first breach, which occurred in January 2011, did not come to light until March, when the Council began an investigation. Unfortunately, this did not prevent further similar incidents taking place in May and June.
Ken Macdonald, Assistant Commissioner for Scotland said:
“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.
“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”
The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.
The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date. The council will also update its existing data protection policy to include specific provisions for the handling of personal data by social services staff. Any outgoing letters containing sensitive or confidential data will also be checked by another member of staff before being sent. The council’s data protection training scheme will also be improved.
The ICO is asking the government for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK following a series of data protection breaches.