Four local councils have been fined a total of over £300,000 for serious data breaches by the Information Commissioner, who has criticised local government’s attitude towards protecting personal data.
Leeds City Council was fined £95,000, Plymouth City Council £60,000 and Devon County Council £90,000 after separate incidents saw details of child care cases sent to the wrong recipients. And the London Borough of Lewisham was issued with a penalty of £70,000 after social work papers were left on a train.
The Information Commissioner said the latest penalties mean that nineteen local councils have now received monetary penalties for breaching the Data Protection Act, totalling £1,885,000.
The case in Leeds saw sensitive personal details about a child in care sent to the wrong person, revealing details of a criminal offence, school attendance and information about the child’s relationship with their mother.
When sending internal mail, the council re-uses envelopes that have been used for external mail. But in this case the external address wasn’t crossed out, and so the sensitive file was posted outside the council to someone who had nothing to do with this case.
The breach at Plymouth City Council followed a similar pattern, with information passed to the wrong recipient including highly sensitive personal information about two parents and four children, notably allegations of child neglect relating to ongoing care proceedings.
The breach occurred when two reports about separate child neglect cases were sent to the same shared printer. Three pages from the first report were mistakenly collected with the papers from the second case, and so were handed to the wrong family.
In Devon, a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.
The mistake revealed personal data of 22 people, including details of alleged criminal offences and mental and physical health.
In Lewisham, a social worker left sensitive documents in a plastic shopping bag on a train after taking them home to work on. The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.
Information Commissioner Christopher Graham said, “It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence.
"Far too often in these cases the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."
He said: "there is clearly an underlying problem with data protection in local government". Graham said he would be meeting with stakeholders from across the sector to discuss how they can address the problems.
The Information Commissioner's Office is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance, and if necessary without consent. The same powers are being sought for NHS bodies across the UK following a series of data protection breaches in the health sector .