The Information Commissioner has fined Midlothian Council outside Edinburgh £140,000 for a series of data breaches in which child protection data was sent to individuals not involved in the cases.
Between January and June 2011, on five separate occasions the Council sent out social service reports on children to the wrong recipients, in one instance resulting in seven healthcare professionals receiving notes they had no reason to see.
On a second example pulled out by the ICO, notes containing personal information on a mother were sent in error to the address of her ex-partner but were opened by a third party.
All of the incidents could have been avoided had the Council put in place “adequate data protection policies, training and checks”, the ICO said in its ruling.
The fine is the first ever imposed by the ICO on a Scottish organisation.
“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed,” said ICO assistant commissioner for Scotland, Ken Macdonald.
“I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”
The Midlothian case bears a striking resemblance to one from December 2011 in which Powys County Council was fined £130,000 for accidentally sending a member of the public child protection notes after a print job mix-up.
Although a smaller incident, the Council had been warned once before by the ICO, which bumped up the fine. The Midlothian fine will have reflected that the ICo was dealing with a string of incidents of a similar nature.
The ICO is seeking more power to audit the data protection policies of Councils, if necessary without consent.