The Information Commissioner’s Office (ICO) has imposed a £120,000 fine on Surrey County Council after the local authority repeatedly sent unencrypted, personal information to the wrong email addresses.
Surrey County Council’s Data Protection Act (DPA) breach is one of just a few that have been deemed serious enough to warrant a fine from the ICO, and it is the largest financial penalty to date.
The first incident on 17 May 2010 involved an Adult Social Care Teams employee emailing a file containing sensitive data relating to 241 individuals to a group email address, which included taxi, coach and mini bus hire companies.
The file was not encrypted or password-protected, and the council was unable to confirm that all the recipients had destroyed the information.
This was followed by a second email sent on 22 June, which exposed personal data relating to a number of individuals being emailed to more than 100 unintended recipients who had actually registered to receive a council newsletter.
In a third incident, on 21 January 2011, the Children Services department at the council sent sensitive information, which included data relating to an individual’s health, to the wrong internal group email address. This data did not leave the council’s network, but the breach led to sensitive information being circulated among unintended recipients.
“The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late,” said Christopher Graham, Information Commissioner.
“Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
The council has now implemented measures to improve its policies on information security, including developing an early warning system that alerts staff when sensitive information is sent to an external email address. It has also improved staff training to ensure that group email addresses are clearly identifiable.
Until now, the only organisations to have been fined by the ICO for data protection breaches were Hertfordshire County Council, Ealing Council, Hounslow Council and employment services company A4e. Hertfordshire County Council had previously received the heaviest penalty of £100,000 in November 2010, after it faxed details of a child abuse case to a member of the public. It had won an IT excellence award just the previous month.