ICO Slaps Cheshire East Council With £80,000 Fine

The Information Commissioner’s Office (ICO) has confirmed it has fined Cheshire East Council a rather stiff £80,000 for failing to have adequate security measures in place when emailing personal information.

The fine was triggered because of a serious breach of the Data Protection Act, which occurred in May 2011.

Data breach

According to the ICO, a council employee was asked to contact the local voluntary sector co-ordinator, to alert local voluntary workers to a police force’s concerns about an individual who was working in the area.

Instead of emailing the information via the council’s secure system, the council worker sent an email to the local voluntary sector co-ordinator via her personal email account. She said she did this because the co-ordinator did not have an appropriate email account and that using the secure email system would have prevented the information from being further disseminated.

But the email contained the name and an alleged alias for the individual as well as information about the concerns the police had about him. This information was then forwarded by the co-ordinator to 100 intended recipients.

The real problem arose because the email did not have any clear markings or advice on how it was to be treated, and thus the recipients interpreted the wording of the message to mean that they, too, should forward the email to other voluntary workers. The email was therefore sent to 180 unsanctioned recipients.

“While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed,” said Stephen Eckersley, the ICO’s Head of Enforcement.

£1 million in fines

“Cheshire East Council also failed to provide this particular employee with adequate data protection training,” he said. “The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

“I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data,” Eckersley added.

Earlier this week, the ICO fined two councils a total of £180,000 for failing to keep highly sensitive information about the welfare of children secure.

Croydon Council was handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex-abuse victim was stolen from a London pub. Norfolk County Council was also served with an £80,000 penalty for disclosing allegations against a parent and the welfare of their child to the wrong recipient.

Track record

Despite a slow start to issuing financial penalities in 2010, the ICO has been much busier of late, after it recently pledged to crack down on rule breakers in 2012. The Metropolitan Police admitted earlier this month to accidentally sharing over 1,000 email addresses of crime victims with other victims.

In January, Midlothian Council was fined £140,000 for disclosing sensitive personal data relating to children and their carers on five separate occasions.

Not all are accepting these fines. The Brighton and Sussex University Hospitals NHS Trust, for example, warned that it would appeal if it was fined £375,000, an amount specified by the ICO. This incident refers to hard disk drives, containing patient data, that were handed over to a registered contractor for destruction, only to end up for sale on eBay.

Under current legislation, the ICO has the power to issue a fine of up to £500,000 to organisations which have committed a serious breach of the Data Protection Act (DPA).

However, the ICO believes this is not enough and wants jail sentences, a stance backed by MPs on the Justice Committee, after they called for more severe penalties, including custodial sentences, to be imposed on those found guilty of breaching the Act.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • Dear Sir,

    Last week we saw the Information Commissioner move forward with the tough penalties he initially introduced last year around NHS data breaches with three councils receiving fines for separate cases of lost personal details totalling £180,000.

    In these times of austerity, increasingly we’re seeing organisations pushing budgets to the limit, so much so that security is one of the first things that can get neglected, particularly as such functions have traditionally been perceived as costly.

    This is a timely reminder of the type of risks that organisations can impose on themselves and their customers if the right precautions to protect information are not followed, and the mess organisations can get into if measures to detect such breaches are lax.

    Data breaches are becoming a part of an everyday experience for many organisations. Clearly more needs to be done to get to the root of the problem and educate employees on the importance of data security, before we face a data breach with national consequences.

    Kevin Norlin,
    GM & VM (EMEA) Quest Software

Recent Posts

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

3 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

3 hours ago

Dutch PM Raises Cyber Espionage Case With China’s Xi

Beijing visit sees Dutch Prime Minister Mark Rutte discuss cyber espionage incident with Chinese President…

4 hours ago

Vodafone Germany Confirms 2,000 Job Losses, Amid European Restructuring

More downsizing at Vodafone after German operation announces 2,000 jobs will be axed, as automation…

20 hours ago

AI Poses ‘Jobs Apocalypse’, Warns Report

IPPR report warns AI could remove almost 8 million jobs in the United Kingdom, with…

21 hours ago

Europe’s Longest Hyperloop Test Track Opens

European Hyperloop Center in the Netherlands seeks to advance futuristic transport technology, despite US setbacks

22 hours ago