ICO blasts local councils for poor data handling

News 17 Dec, 2012

Data protection watchdog to lobby Ministry of Justice for powers to audit local government without consent.

The Information Commissioner’s Office (ICO) has blasted local government attitudes to data protection after doling out penalties amounting to £1,885,000 to 19 local councils since 2010.

The data protection watchdog said, in light of this, it is lobbying the Ministry of Justice for powers to audit local councils and NHS departments on compliance grounds without their consent.

Information Commissioner Christopher Graham said, in a statement, the organisation plans to meet with local government stakeholders to help them address the issue of data protection.

We are fast approaching £2 million worth of monetary penalties issued to UK councils.

“We are fast approaching £2 million worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with 19 councils failing to have the most straightforward of procedures in place,” he said.

“[These] are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence...[and] there is clearly an underlying problem with data protection in local government.”

The ICO’s decision to speak out follows a spate of recent local government Data Protection Act breaches involving Leeds City Council, Devon County Council, the London Borough of Lewisham and Plymouth County Council.

In the most recent case, the London Borough of Lewisham was fined £70,000 on 12 December 2012 because a social worker left case papers relating to a child protection matter on a train.

The files contained police and GP reports, as well as allegations of sexual abuse and neglect.

In a statement to IT Pro, the council said the member of staff responsible was no longer working there.

“We very much regret that a member of staff...potentially put confidential information into the public domain,” said the statement.

“Since the breach occurred, we have taken steps to make sure all staff who work with this type of confidential information are fully aware of their responsibilities and the need to comply with council practice and security measures.”

In another case, Devon County Council received a penalty notice of £90,000 after a social worker used a previous case as a template for an adoption panel report, but accidentally sent out a copy of the old document by mistake.

A council representative told IT Pro it intends to pay the fine and described the breach as a mistake that “simply shouldn’t have happened.”

They added: “We take our duties regarding data protection extremely seriously and have a good track record in this respect.

“We have already begun mandatory data protection training for all employees whose jobs involve handling personal data.”

Leeds City Council received a fine of £95,000 on 16 November after sensitive details about a child in care were sent to the wrong person, resulting in information about the child’s upbringing being erroneously disclosed.

In a similar case, Plymouth City Council was ordered to cough up £60,000 after highly sensitive personal information about two parents and four children involved in ongoing care proceedings were sent to the wrong person.

It claims the fines handed out to all four councils exceeded £300,000, but a representative from Plymouth City Council contested this, stating its fine of £60,000 was reduced to £48,000 because it paid up early.

With this in mind, the total value of the fines stands at around £293,000.