ICO slaps Surrey County Council with £120,000 fine

Surrey County Council gets hit with a £120,000 fine for misdirecting emails containing personal data.

Sensitive data

The Information Commissioner's Office (ICO) today hit Surrey County Council with a 120,000 fine for breaching the Data Protection Act.

It is the biggest penalty handed out by the ICO to a single organisation since the watchdog was granted the ability to fine up to 500,000 in April 2010.

Surrey County Council was reprimanded after the local authority misdirected emails containing sensitive data on three separate occasions.

Advertisement - Article continues below

The first case from 17 May 2010 saw a member of staff working for an adult social care team sent the sensitive personal data of 241 individuals' physical and mental health to the wrong group email address.

Although the council tried to recall the email, it could not confirm the messages had been destroyed by recipients.

Furthermore, the data sent to various unauthorised parties, including taxi firms and minibus hire companies, was not encrypted or password protected.

Two further cases followed in which confidential personal data was sent to the wrong people.

"This significant penalty fully reflects the seriousness of the case," said information commissioner Christopher Graham.

"The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late."

Advertisement - Article continues below
Advertisement - Article continues below

The council has taken steps to shore up practices, including the addition of an early warning system to alert staff when data information is being sent to an external email address.

The ICO has been called on repeatedly to show its muscle and issue more fines, so this could appease those thirsty for blood.

In April, the ICO deputy commissioner David Smith told IT Pro the body wanted greater fining powers.

Read on for our look at whether ICO's approach has been effective or if companies are getting away with poor data handling.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020