Some council staff don’t know the difference between internal and external email, the ICO has found
The Information Commissioner’s Office (ICO) has fined the North Somerset Worcestershire County Councils for sending highly sensitive personal information to the wrong recipients.
The Worcestershire County Council was served a £80,000 penalty for a March 2011 breach, while the North Somerset Council received a £60,000 fine for a serious breach of the Data Protection Act at the end of 2010, according to the ICO.
Training to use email
The Worcestershire County Council employee responsible for the breach emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The employee, realising the error, immediately contacted the recipients, who, working for registered organisations and used to operating within the council’s protocols about handling sensitive data, deleted the email.
According to a statement by the ICO, its investigation found that the council had failed to safeguard data, by either providing specific training for staff on how to tell the difference between an internal and external email list, or by considering alternative means of handling the information.
Information Commissioner, Christopher Graham, believes that “There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”
Just didn’t care
During November and December 2010, a North Somerset Council employee added the wrong email address to a distribution list and despite being told of the error, continued to send the wrong NHS employee a total of five emails, two of which contained highly sensitive and confidential information about a child’s serious case review.
The issue had to be raised at senior level before it was resolved, and even after two of the council’s Assistant Directors highlighted the issue with the employee, a fifth and final email was sent by the staffer.
Once again, the ICO found that, although North Somerset Council had some policies and procedures in place, it had not done enough to train staff on data protection, and recommended adopting more secure means of sending information electronically, including encryption and ensuring that managers sign off email distribution lists.
“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties,” added Graham.
After a series of embarassing breaches by councils all over the country, the ICO has stated that it will be pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies, also plagued by data protection breaches.