Powys Gets Biggest ICO Fine Yet For DPA Breach

Powys County Council slammed for over-sharing child-protection case details

Powys County Council has been fined £130,000 for a serious breach of the Data Protection Act (DPA) by the Information Commissioner’s Office (ICO).

This is the largest fine issued by the commission since it was given the powers to do so in April 2010 and, according to Assistant Commissioner for Wales Anne Jones, this latest in a series of breaches in the sector shows a worrying trend. “There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,” she said.

Third time lucky?

Powys County Council breached the DPA in February this year when staff members sent details of an unrelated child protection case to a member of the public, along with information relating to their own children.

According to a statement by the ICO: “Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.”

This breach, according to the statement, was not the council’s first. A similar incident, reported to the ICO in June 2010, occurred when a social worker sent information relating to another unrelated vulnerable child to the same member of the public, who also knew that child.

The council had insisted that the first incident was a one-off error and promised to put training in place to avoid further incidents. At the time of the second breach, seven months later, the council had still not made such training mandatory for social work staff, nor had any been provided.

The ICO had warned the council to introduce mandatory training and to tighten up its security measures, or face stronger measures, and now the ICO has threatened to take the council to court if it does not clean up its act.

Jones added, “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.”