Council fined £90,000 for two child data breaches

A local authority in England has been fined £90,000 by the Information Commissioner for failing to protect sensitive data about four children.

The fine followed two data breaches within two months by Telford and Wrekin council. The first, on 31 March 2011, occurred when a member of staff in the council’s safeguarding service sent details of a child’s core assessment to the child’s sibling instead of their mother.

It included details of the child’s behaviour and the name, address, date of birth and ethnicity of a further child who had made a serious allegation against one of the other children.

In the second breach, the names and addresses of the foster care placements of two young children were included in their Placement Information Record (PIR). This was printed out and shown to the children’s mother who noticed the foster carers’ address. Following this breach, the council moved the children to alternative placements.

An investigation by the council found the relationship records on the children’s information system Protocol, for the children in the first incident, lacked sufficient information. There was also no mechanism in place to check the documents before they were posted out.

An investigation following the second breach found the default setting on the Protocol system included the foster carer’s details in the PIR. Again, there was no process in place to check the PIR after it was printed.

The authority has agreed to pay the fine of £90,000 and take action to avoid such breaches. This will include providing its safeguarding staff with further training and support on data protection, information security and using the Protocol system.

David Smith, deputy commissioner and director of data protection at the Information Commissioner’s Office, said the ICO’s decision to issue a penalty reflects the “seriousness” of the case.

“These were two very similar data breaches, which occurred within a short space of time, and both involved highly confidential and sensitive personal data. Most importantly, some of the people affected were vulnerable children, two of whom had to be moved to a new foster home as a result of the second data breach,” he said.

He added that it is the responsibility of all organisations – especially where children or other vulnerable people are involved – to keep sensitive personal data secure.

Related articles

Inform guide to information sharing and data protection