Nottingham County Council was fined £70,000 by the ICO for failing to take adequate measures to keep sensitive information secure.
The Council launched in July 2011 an online portal, Home Care Allocation System, to assist with assigning support to elderly and disabled persons. The portal contained an online directory with contact details, individuals' care requirements and whether the person was currently in hospital, but did not include the individual's name. The portal did not have any security or access restrictions and the data was discovered to be accessible using a search engine with no username or password requirements to access the data. At the time the breach was reported, the system contained details of 81 ﴾unnamed﴿ individuals, but is understood to have held information relating to about 3,000 people over the 5 years before the issue was flagged.
The online portal had no authentication process to identify users or provide a secure access route. The ICO found that the Council breached the seventh data principle of the Data Protection Act by failing to take appropriate technical measures to prevent unauthorised and unlawful processing of personal data.
Click here to read the monetary penalty notice.