Sensitive data losses exposed
13:00 29 November 2011
NORTH Somerset Council has been fined £60,000 after emails containing sensitive details about a child case review were sent to the wrong recipient.
The serious breach of the Data Protection Act saw emails sent to the wrong NHS employee five times, despite the error being highlighted twice.
The unitary authority was investigated by the Information Commissioner’s Office (ICO), which found the council had failed to ensure staff received appropriate data protection training.
A separate report released by Big Brother Watch, has also revealed North Somerset Council made 16 data protection breaches in the three years between August 2008 and August 2011.
The campaign group, which focuses on privacy issues, surveillance and civil liberties, made a Freedom of Information Act request to gain the details.
This revealed six shorthand notepads and four A4 pads containing sensitive data were found by a council contractor and handed in to police.
Confidential waste was found in a bin outside council offices and 10 laptops were stolen or lost, four of which were taken in thefts from a school.
The council fell victim to a phishing attack, meaning unauthorised access was gained to its emails as well as information regarding complaints about five individuals.
A letter concerning child protection issues was sent to the wrong recipient and a printed council email was found in the street.
Councillor Tony Lake, North Somerset Council’s executive member responsible for data protection issues, said: “We take our data security responsibilities seriously, which is why we decided to report these incidents to the Information Commissioner’s Office ourselves, so that he could carry out his own investigation.
“Of the 16 data incidents included in the report, only three of these were actual data losses.
“Because we regard this as such a serious issue, we have probably included items on the list that other councils wouldn’t - for example a missing application for a bus pass, a USB stick containing photos of a planning development which was subsequently found and a printed email found on the street that contained no sensitive or personal data.
“However, no data losses are acceptable and we are working to keep losses to an absolute minimum. The council has developed a comprehensive training programme on information governance which all staff have to complete.”