Surrey Council Hit By Biggest ICO Fine To Date

Surrey County Council has been fined £120,000 for sending sensitive data to taxi firms, among other breaches

The Information Commissioner’s Office (ICO) on Thursday issued its biggest fine to date, imposing a pentalty of £120,000 on Surrey County Council for disclosing individuals’ personal data on three separate occasions.

The incidents included sending personal data to groups including taxi firms and people who had subscribed to the council newsletter.

‘Shocking’

“The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough,” said UK information commissioner Christopher Graham, in a statement. “But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”

In the first incident, on 17 May, 2010, a member of the council’s Adult Social Care Teams staff emailed a file containing information on 241 individuals’ physical and mental health to a group email address including taxi firms, coach and mini-bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it, the ICO said.

The email was not encrypted or password protected, and thus could have been viewed by any of the recipients, according to the ICO.

In the second incident, on 22 June, 2010, confidential data on a number of individuals was emailed to one hundred subscribers to a council newsletter.

In the third incident, on 21 January, 2011, the council’s Children’s Services department sent sensitive information, including health information, to the wrong internal email address.

“Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated,” Graham stated.

Improved security

The council has since instituted new measures including an early warning system alerting staff when sensitive information is being sent to an external email address, and improved training.

The ICO has recently been criticised for not imposing enough fines.

The ICO was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010, but did not issue its first penalty until November 2010, following months of apparent inaction. Hertfordshire County Council was ordered to pay a fine of £100,000 for revealing details of a sex abuse case to a member of the public, and employment agency A4e was fined £60,000 for losing a laptop which contained the unencrypted details of thousands of people.

Then in February, Ealing Council was hit with a £80,000 fine and Hounslow Council was charged £70,000, for losing laptops that contained sensitive personal data.

A recent report by the Ponemon Institute revealed that the average data breach costs UK organisations £1.9 million – an increase of 13 percent from 2009, and 18 percent from 2008. The report, which was sponsored by Symantec, found that incidents ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million.