The Information Commissioner’s Office (the “ICO”) has fined Midlothian Council £140,000 for five separate security breaches, which involved accidental disclosure of confidential and sensitive personal data about children and carers to the wrong recipients. The breaches, which took place between March and June last year, all involved sensitive information relating to the Council’s Children and Families Service (the “C&F Service”) being inadvertently sent out to unintended third parties. In each case the ICO determined that the contravention was of a kind likely to cause substantial distress. In one of the breaches the matter was aggravated by the fact that the information concerned (which was minutes of a child protection conference) may have been further disclosed to individuals who live in the same locality as the relevant mother and child involved.
The ICO said that staff at the C&F Service dealt with confidential and sensitive personal data on a daily basis but did not have any role-specific guidance or working procedures that promoted good practice in data handling. The ICO found that training in the C&F Service was inadequate and staff were largely unaware of their responsibilities under the Data Protection Act (the “Act”).
The Council has now taken remedial action which includes recovering the information from the unintended recipients, providing all staff in the C&F Service with relevant training sessions, putting into place procedures intended to avoid similar mistakes occurring in the future and to ensure that the relevant databases contain accurate and up-to-date information at all times.
The £140,000 fine was not only the highest fine imposed by the ICO to date, but was also the first levied against a Scottish organisation. The fine will be reduced to £112,000 if it is paid by 23 February 2012, which is also the date the Council has until to appeal the fine.
A spokesperson for the Council said: “The Council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the Information Commissioner. I must emphasise that there is no evidence that anyone was put at risk“. It seems unlikely the Council will appeal given it has accepted that there were mistakes caused by human error. However any appeal could be based on the size of the fine, as opposed to the fact it was imposed.
Under the Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data. It is clear the ICO wanted to send out a strong warning to “data controllers” (as defined under the Act) in order to remind organisations of their obligations and avoid similar mistakes. It seems that the ICO has approximately 20 similar Civil Monetary Penalty cases in the pipeline, with at least six organisations having been issued with a Notice of Intent (total value £875,000) and a further three awaiting signature (total value £300,000). Meanwhile, Brighton and Sussex University Hospitals NHS Trust may yet trump Midlothian Council in the highest fine stakes if it is unsuccessful in its challenge of the ICO’s proposed £375,000 fine relating to stolen computer hard drives, containing sensitive patient data, sold on Ebay.