Council fined for sending children’s reports to wrong people

Midlothian council has been fined £140,000 for sending children’s social services reports to the wrong recipients on five occasions.

Midlothian council has been fined £140,000 by the Information Commissioner’s Office for sending children’s social services reports to the wrong recipients on five occasions.

The five serious data breaches all occurred between January and June last year, leading to the first penalty ever served by the Information Commissioner’s Office (ICO) against an organisation in Scotland.

The first breach was discovered in March 2011, following an internal investigation by Midlothian council, but similar breaches occurred in May and June.

On one occasion, papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information.

In another case, minutes of a child protection conference were accidentally sent to the former address of a mother’s partner, where they were read by his ex-partner.

The children’s mother made a complaint to her social worker after learning the papers also contained personal data about her.

Ken Macdonald, assistant commissioner for Scotland said: “The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.

“I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

An investigation by the ICO found each breach could have been avoided if the council had put adequate data protection policies, training and checks in place.

Midlothian council has confirmed it will update its existing data protection policy to include specific provisions for the handling of personal data by social services staff, and will improve its data protection training scheme.

The ICO is asking the government for stronger powers to audit local councils’ data protection compliance, if necessary without consent.  The same powers are sought for NHS bodies across the UK following a series of data protection breaches.

Related Articles

Confidential child protection files ended up in shop

More from Community Care

Comments are closed.