Windsor and Maidenhead council has been ordered to review its data protection policies after restricted details of employees were accidentally posted to an organisation-wide intranet.
A report handed to the Information Commissioner’s Office detailed an incident on January 2013 where information on 257 employees was disclosed on the council’s internal website.
Spreadsheet data relating to individuals who had not signed a new employment contract was accidentally attached to a ‘review document’ published by the council and viewable by all employees, rather than being added as a separate, restricted item.
A subsequent investigation by the ICO revealed that the council had failed to put in place adequate training and safeguards around data protection.
“The incident itself was minor in that no sensitive personal data was included and the disclosure took place on the data controller’s intranet, accessible only to employees,” an ICO report stated.
“However the Commissioner’s investigation discovered that training in data protection and information security had not previously been a mandatory requirement for employees with access to personal data."
The ICO also stated that that the council’s own procedures on the handling of data “were incomplete”.
The council has now agreed to review its policies, and ensure that all staff are aware of procedures by the end of the year.
Furthermore, all staff with access to personal data shall be trained in data protection measures as soon as their employment commences, with existing staff receiving immediate training.