The Information Commissioner’s Office (ICO) has ordered the Council of the Isles of Scilly to implement new data protection policies and training, after two data breaches involving the disclosure of personal data.
The first breach occurred in June 2013, when an attachment inadvertently included in an email revealed personal data related to a disciplinary hearing.
A further incident occurred in September 2013, involving two documents containing sensitive personal data ending up in public circulation. Poor data sharing, including staff using personal email accounts and paper documents not being properly redacted, meant details of an investigation into the conduct of a former head teacher were disclosed publicly.
ICO head of enforcement Stephen Eckersley, said: “Personal data must be handled securely and safely. The council has failed to do so and must now make immediate changes.
“The people of the Isles of Scilly need to be confident their council understands and complies with the law. The undertaking from the council to us will help ensure it does so.”
The council has agreed to implement mandatory data protection training to staff, with refresher training to be updated regularly. It must also draft appropriate guidance on the safe transfer of personal data by email and consider the use of encryption. In addition, the council must draft a document redaction policy.