A print job mixup has left a Welsh council nursing the largest fine ever to be levied by the Information Commissioner for a breach of the Data Protection Act.
Powys County Council has been asked to pay £130,000 after the two pages of case notes from a child protection case were accidentally added to those of a separate case before being sent to a member of the public.
The mixup, which occurred in February this year, happened because both sets of paper notes were printed using the same shared network printer and were not checked before being sent out, the ICO said. The issue was raised with the council by the recipient – who also knew the child in question – and a complaint was filed separately by the child’s mother through a local MP.
The unusually tough fine reflected the fact that the Council had been warned previously by the ICO for sending child protection data to an unintended recipient in June 2010, making the new offence the second in less than a year.
The ICO said the accumulation of cases along similar lines has convinced it of the need to ask the Ministry of Justice for new powers to audit councils and NHS organisations without their consent.
“This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people,” said ICO assistant commissioner for Wales, Anne Jones.
“It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations,” she said.
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems.”
ICO fines and warnings now litter the news archives with no sign of a slow-down in the number of data breach and data protection cases coming to light. This raises questions about whether the compliance regime is working effectively enough or should seek to address the deeper problems in the way public sector organisations store and handle sensitive data.
Only two weeks ago, the Big Brother Watch organisation used freedom of information requests to uncover 1,035 incidents in which public sector organisations had lost laptops and memory sticks on which sensitive data could have been stored. Only 55 of these were actually reported to the ICO.