Council fined for child data lapses

Jan 30 2012

A council has been handed the biggest ever fine for disclosing sensitive personal data after sending details of children and their carers to the wrong people five times last year.

The Information Commissioner's Office (ICO) fined Midlothian Council £140,000 over the breaches, which it said caused "serious upset" to the children's families. It is the largest fine issued over such breaches by the ICO to date, and the first to an organisation in Scotland, the ICO said.

But Brighton and Sussex University Hospitals NHS Trust is contesting a possible fine of up to £375,000 after computer hard drives containing confidential information belonging to tens of thousands of patients and staff were stolen and put up for sale on eBay. All the breaches by Midlothian Council involved children's social service reports being sent to the wrong recipients between January and June last year.

Ken Macdonald, the ICO's assistant commissioner for Scotland, said: "Information about children's care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.

"The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure."

The ICO's investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

In one case, papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information, while in another, minutes of a child protection conference were sent to the former address of a mother's partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children's mother, who made a complaint to her social worker.

Colin Anderson, the council's chief social work officer, said: "As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry. The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the Information Commissioner.

"I must emphasise that there is no evidence that anyone was put at risk." He went on: "While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed."

Three other alleged breaches by the council are still being investigated by the ICO, the council said.