A council has been fined £70,000 by the Information Commissioner’s Office (ICO) for leaving the details of vulnerable people exposed online for five years.
Nottinghamshire council was found to have posted the gender, addresses, postcodes and care requirements of older and disabled people in an online directory, which did not have basic security or access restrictions, such as a username or password.
The directory even revealed whether or not people were still in hospital, the ICO found.
The data breach was only discovered when a member of the public unintentionally came across the information through a search engine, and was concerned that it could be used by criminals to target vulnerable people in their homes.
Steve Eckersley, head of enforcement at the Information Commissioner’s Office, said the council’s actions represented “a serious and prolonged breach of the law”.
The council said it was “very sorry” that the error occurred, and “wholeheartedly accepted” the Information Commissioner’s findings.
‘Unacceptable and inexcusable’
An investigation by the ICO found that the council had launched an online portal called the ‘Home Care Allocation System’ in July 2011, which allowed social care providers to confirm they had the capacity to support a particular service user.
When the data breach was reported in June 2016, the system contained a directory of 81 service users, but it is understood that the data of 3,000 people had been posted in the five years that the system was online. The ICO said that although service users’ names were not included, “a determined person” would be able to identify them.
Eckersley added: “For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
‘Full review of procedures’
Caroline Baria, director of adult services at Nottinghamshire council, said: “As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the commissioner. At the time the directory included partial addresses and a brief outline of the care needs of 81 people who have required home care services, but the information did not contain any names or house numbers.
“A full review of procedures has been carried out and we are now using a different system for home care providers outside of the internet.”
Register now for Community Care Live London for two days of free and essential learning to boost your CPD, sharpen your legal knowledge and improve your practice, on 26-27 September.