ICO Raps Councils for Losing Child Data

As the ICO publishes a code of practise for the storing of personal data, three local councils are rapped for losing personal details on thousands of children

The Information Commissioner’s Office (ICO) has rapped three local councils over the knuckles for losing the personal details of thousands of children, just days after it  published a code of practice for keeping personal information safe online.

The ICO‘s guidelines instruct organisations on the proper guidelines for gathering personal information – however three local councils have chosen this moment to put the personal data of around 9000 children at risk.

Stick To The Code

Speaking at the launch of the code of practice, Christopher Graham, the Information Commissioner, appealed to businesses, charities and public bodies to be straight with consumers so that people know why their personal information is being collected, how it will be used and who else may end up seeing it.

“The benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience,” said Graham. “But there are risks too. A record of our online activity can reveal our most personal interests. Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

Organisations that adhere to the good practice set out in the new code will enable consumers to make an informed choice about whether they sign up for a particular online service, said Graham.

“Organisations must be transparent so that consumers can make online privacy choices and see how their information will be used,” Graham advised. “Individuals can take control by checking their privacy settings and being careful about the amount of personal details they post to social networking sites and elsewhere online.”

“A code of practice may seem like a restriction: however, it gives online marketers and advertisers an excellent chance of avoiding any more stringent regulation,” said Roger Llewellyn, CEO of Business Intelligence and data analysis expert Kognitio. “Already the ICO has flexed its muscles over organisations that lose or abuse data, and its powers are likely to be increased over the next year. The code of practice as it stands is relatively lenient, meaning that organisations will have no excuse if they fall foul of the ICO.”

Councils Break DPA

The publication of the Code comes as the ICO said the personal details of over 9,000 children have been put at risk by three councils. The ICO said it has taken action against the London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council for breaching the Data Protection Act (DPA).

“These three councils have shown a poor regard for the importance of protecting children’s personal information,” said Sally-Anne Poole, Enforcement Group Manager at the ICO. “It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”

By far the worst case was London Borough of Barnet, after an unencrypted, non-password protected USB stick and CDs containing the sensitive personal information of over 9,000 children and members of their families was stolen from the home of a council employee. This employee had downloaded the data onto the unencrypted devices without any authorisation to do so, although it was later revealed that there was no training provided or security in place to prevent such downloads, despite the ICO warning this very same council of this lack of staff training prior to the incident.

There was a similar incident at West Sussex County Council, after a council worker had a laptop stolen from home. This unencrypted laptop contained sensitive personal data relating to an unknown number of children and families involved in childcare proceedings.

Meanwhile the Buckinghamshire County Council said that it had lost documents at Heathrow airport containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee who was travelling to another UK city in connection with the children’s social care case.

Not Rocket Science

“I am particularly concerned where a public authority has previously been warned about the lack of staff training in data security,” said Sally-anne Poole. “Breaches involving such large numbers of children and family members could easily have been avoided. I am pleased that all of the councils have now taken or proposed action to prevent against further data breaches.”

“It is outrageous that three whole councils seem to have so little regard to keeping our children safe,” commented Chris McIntosh, CEO of encryption expert Stonewood Group. “It is bad enough that they don’t protect their own data, but to lose information about those who are the most vulnerable is beyond unacceptable.”

“When Barnet’s loss was first made public it sounded as if they were putting essential procedures in place, but by the sound of it, that wasn’t the case. It is clear that even the need to improve the security of our children’s data hasn’t been taken seriously enough,” McIntosh added. “You have to ask what else needs to happen before companies and councils start protecting our data properly. Employees are always going to lose memory sticks and laptops, but that doesn’t have to mean data loss. It’s not rocket science, there will always be simple human errors.”