The Information Commissioner has fined Cheshire East council £80,000 for not properly protecting personal data
The Information Commissioner’s Office (ICO) has confirmed it has fined Cheshire East Council a rather stiff £80,000 for failing to have adequate security measures in place when emailing personal information.
The fine was triggered because of a serious breach of the Data Protection Act, which occurred in May 2011.
According to the ICO, a council employee was asked to contact the local voluntary sector co-ordinator, to alert local voluntary workers to a police force’s concerns about an individual who was working in the area.
Instead of emailing the information via the council’s secure system, the council worker sent an email to the local voluntary sector co-ordinator via her personal email account. She said she did this because the co-ordinator did not have an appropriate email account and that using the secure email system would have prevented the information from being further disseminated.
But the email contained the name and an alleged alias for the individual as well as information about the concerns the police had about him. This information was then forwarded by the co-ordinator to 100 intended recipients.
The real problem arose because the email did not have any clear markings or advice on how it was to be treated, and thus the recipients interpreted the wording of the message to mean that they, too, should forward the email to other voluntary workers. The email was therefore sent to 180 unsanctioned recipients.
“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed,” said Stephen Eckersley, the ICO’s Head of Enforcement.
£1 million in fines
“Cheshire East Council also failed to provide this particular employee with adequate data protection training,” he said. “The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.
“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data,” Eckersley added.
Earlier this week, the ICO fined two councils a total of £180,000 for failing to keep highly sensitive information about the welfare of children secure.
Croydon Council was handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex-abuse victim was stolen from a London pub. Norfolk County Council was also served with an £80,000 penalty for disclosing allegations against a parent and the welfare of their child to the wrong recipient.
Despite a slow start to issuing financial penalities in 2010, the ICO has been much busier of late, after it recently pledged to crack down on rule breakers in 2012. The Metropolitan Police admitted earlier this month to accidentally sharing over 1,000 email addresses of crime victims with other victims.
In January, Midlothian Council was fined £140,000 for disclosing sensitive personal data relating to children and their carers on five separate occasions.
Not all are accepting these fines. The Brighton and Sussex University Hospitals NHS Trust, for example, warned that it would appeal if it was fined £375,000, an amount specified by the ICO. This incident refers to hard disk drives, containing patient data, that were handed over to a registered contractor for destruction, only to end up for sale on eBay.
Under current legislation, the ICO has the power to issue a fine of up to £500,000 to organisations which have committed a serious breach of the Data Protection Act (DPA).
However, the ICO believes this is not enough and wants jail sentences, a stance backed by MPs on the Justice Committee, after they called for more severe penalties, including custodial sentences, to be imposed on those found guilty of breaching the Act.