Councils fined for failing to keep sensitive children’s data safe

Two English councils have been fined a total of £180,000 by the Information Commissioner for failing to keep sensitive information about the welfare of children secure.

Croydon council was fined £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub in April 2011.

The unlocked bag, which has since been recovered, belonged to a social worker and contained information about the sexual abuse of a child and six other people connected to a court hearing. The social worker had taken the papers home for use at a meeting the following day.

The ICO’s investigation found Croydon council’s data protection guidance was not actively communicated to staff.

Its policy on data security was also found to be inadequate and did not stipulate how sensitive information should be kept secure when taken outside the office.

Norfolk council was fined £80,000 for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient, also in April 2011.

The breach occurred when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next door neighbour. The report contained confidential and highly sensitive personal data about a child’s emotional and physical wellbeing.

The penalties bring the total amount served by the Information Commissioner’s Office (ICO) to organisations in serious breach of the Data Protection Act to over £1m.

Stephen Eckersley, head of enforcement at the ICO, said: “We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen.

“However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place. 

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”

Both councils will now ensure that effective data protection measures are put in place.

More information

Guidance on the security measures that should be in place when handling personal data is available on the ICO website