A local authority has been censured by the Information Commissioner for its inadequate response to a serious data protection breach by one of its social workers.
The Information Commissioner’s Office (ICO) ordered Wolverhampton Council to ensure all of its staff are adequately trained in data protection within 50 days after finding that the local authority had failed to address data protection failures more than two years after a significant error by one of its social workers. In January 2012 the social worker sent a report to a former service user detailing their time in care that did not remove sensitive information about the recipient’s sister.
The council introduced mandatory data protection training for all staff in May last year, in line with ICO guidance issued after an audit conducted just prior to the incident. The programme was scheduled to be completed by the end of February 2014 but across the council more than two-thirds (68%) of employees are still to receive it.
Stephen Eckersley, the ICO’s head enforcement, described the council’s delay in getting staff adequately trained was “startling”.
“Over two years ago, we reviewed the council’s practices and highlighted the need for guidance and mandatory training to help its staff keep residents’ information secure,” said Eckersley.
“Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained. We have acted before this situation is allowed to continue any longer and more people’s personal information is lost.”
Should the council fail to comply with the ICO’s order, the matter will be treated as contempt of court.
A Wolverhampton council spokesperson said the training programme is “on track”.
“The council accepts the findings in the Information Commissioner’s Office (ICO) report. This is one of a number of significant measures we have put in place to improve the council’s Information Governance service since the ICO’s audit in 2011,” the spokesperson said.