The Information Commissioner’s Office (ICO) has issued Plymouth City Council a £60,000 fine for a serious breach of the Data Protection Act, after it found that the details of a child neglect case were sent to the wrong recipient.
The report detailed highly sensitive personal information about two parents and four children, including allegations of child neglect.
An ICO investigation found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
The error happened after a social worker used another social worker’s printer to print the report, which didn’t immediately work. However, the documents were stored on the system for the time being and were picked up at the same time as another report that was printed at a later date by the other social worker.
All these documents were then sent out at the same time to one family who received details about a family that wasn’t related to them.
“It would be too easy to consider this a simple human error. The reality is that this incident happened because not enough care was being taken within the organisation when handling vulnerable people’s sensitive information,” said Stephen Eckersley, Head of Enforcement at the ICO.
“The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that."
The ICO recently fined Scottish Border Council a whopping £250,000 under the Data Protection Act for not putting in appropriate guarantees when it outsourced responsibility to an external company to digitise employees’ pension records.
Some 676 records were deposited by the unnamed company into a recycle bin in a supermarket car park, which contained information on employee salary and bank accounts. The files were spotted by a member of the public, who called the police.