ICO hits Stock-on-Trent City Council with £120,000 data breach fine
Data watchdog takes action after city council solicitor sent "highly sensitive" data about children in its care to the wrong address.
Stoke-On-Trent City Council has been fined £120,000 by the Information Commissioner’s Office (ICO) following a “serious” breach of the Data Protection Act (DPA).
The breach occurred when 11 emails containing “highly sensitive” information about several children and two adults in the council’s care was accidentally sent to the wrong address.
An investigation by the data protection watchdog revealed the council solicitor responsible for sending the emails also breached the local authority’s own rules by failing to send the information using a secured network.
It is particularly worrying that a breach in 2010 highlighted similar concerns.
It also emerged the council had neglected to rollout the required encryption software and was aware that staff were sending emails via unsecured networks.
Stephen Eckersley, head of enforcement at the ICO, said, if the information had been encrypted, the information would have remained secure.
“Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure,” he said.
“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.”
He also went on to confirm the council has now signed a legal notice, vowing to improve the data protection training provided to staff and tighten up security around the electronic transmission of data.
In a statement to IT Pro, the council said it has now introduced a secure remote access system for staff working from home and added encryption to all of its portable devices.
A secure email portal that allows the organisation to send sensitive information to non-council workers has also been established, and all unencrypted and non-council devices have now been blocked.
In line with the ICO’s ruling, the council must also introduce a staff training programme for all employees that handle personal data, who must complete the course by February 2013.
Staff must also commit to undergoing regular refresher courses and new employees will be banned from handling sensitive data until they complete it.
Steve Sankey, assistant director of business technology at the council, said: “We have implemented a lot of new procedures and security measures that will help to prevent future breaches.
“It was prudent after the Information Commissioner’s Office notified us of our weaknesses that we acted immediately to improve the situation.”