Midlothian Council Fined £140,000 for Data Breach

Max Smolaks,

Council sent information to the wrong people five times in six months

The Information Commissioner’s Office (ICO) has imposed a £140,000 fine on Midlothian Council for disclosing sensitive personal data relating to children and their carers on five separate occasions.

The sensitive information was sent to the wrong recipients, including cases where letters were sent to former addresses of those involved. The first breach, which occurred in January 2011, did not come to light until March, when the Council began an investigation. Unfortunately, this did not prevent further similar incidents taking place in May and June.

Letters sent in error

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The council has recovered all of the information mistakenly sent to the wrong recipients. It will now update its existing data protection policy to include specific provisions for the handling of personal data by social services staff. As part of the updated procedure, any outgoing letters containing sensitive or confidential data will  be checked by a second member of staff before being sent. The council’s data protection training scheme will also be improved.

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed,” said Ken Macdonald, Assistant Commissioner for Scotland.

The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals in the United Kingdom. The penalty is the first that the ICO has served against an organisation in Scotland.

This comes just days after the European Commission proposed an update to European Data Protection laws, which include reporting any data breaches within 24 hours, and an increase in the fines that companies may pay for breaching data protection rules.