ICO Slams Local Government As It Hands Out More Data Breach Fines

The Information Commissioner’s Office (ICO) today lambasted local councils’ security practices, detailing how a host of authorities have been hit with significant fines for data breach offences.

Leeds City Council, Devon County Council and the London Borough of Lewisham have all been told to pay tens of thousands of pounds, the ICO said. The ICO also pointed to a £60,000 monetary penalty handed to Plymouth City Council as the watchdog announced last month.

Leeds was handed the largest fine of all, at £95,000, after personal details about a child in care were sent to the wrong person. Details of a criminal offence, school attendance and information about a child’s relationship with their mother were handed to the wrong recipient after the council re-used an envelope without crossing out the old address.

Data breach bonanza

In Devon, an employee used a previous case as a template for an adoption panel report they were writing up, but sent out a copy of the old report instead of the new one, leaking data on 22 people. That data breach saw details of mental and physical health exposed.

As for Lewisham, a worker left data from GP and police reports, including allegations of sexual abuse and neglect, in a shopping bag on a train.

The ICO said it was hugely concerned about councils’ data handling and would be taking further action in ensuring practices are improved across local government.

“We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with 19 councils failing to have the most straightforward of procedures in place,” said information commissioner Christopher Graham.

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence.

“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems.”

Leeds City Council chief executive Tom Riordan said the authority would welcome the chance to be part of any broad national review to strengthen practice. “We accept the findings of the information commissioner and although we have already apologised to the individual affected we would like to take this opportunity to do so again,” he added.

Christian Toon, head of information risk at Iron Mountain, said the cases of data loss were “extremely worrying”. “We entrust public sector organisations with our most personal data. In return for this we have a right to expect that those details are treated with responsibility and care,” he told TechWeekEurope.

The ICO is currently lobbying the UK government, asking for powers to audit local councils’ data protection compliance without requiring consent. The watchdog recently praised the private sector for promoting good data security practice, after releasing audit results.

But the ICO was criticised for using data that was unfairly weighted in favour of private organisations when compared to public sector bodies. Far more audits were carried out in the public sector, making a comparison statistically irrelevant, one critic said.

Are you a security pro? Try our quiz!