IQ Legal TrainingAlphabiolabsHousing Law WeekBerkeley Lifford Hall Accountancy Services

Local authority receives penalty from Information Commissioner for children’s services’ data protection breaches

Midlothian Council sent children’s personal data to the wrong recipients

The Information Commissioner's Office (ICO) has imposed a monetary penalty of £140,000 on Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five occasions.

The five serious data breaches – all involving children's social service reports being sent to the wrong recipients – occurred between January and June 2011. One of them happened when papers relating to the status of a foster carer were sent to seven healthcare professionals, none of whom had any reason to see the information. In another case, minutes of a child protection conference were sent in error to the former address of a mother's partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children's mother, who made a complaint to her social worker about this incident.

The first breach, which occurred in January 2011, did not come to light until March, when the Council began an investigation. Unfortunately, this did not prevent further similar incidents taking place in May and June.

Ken Macdonald, Assistant Commissioner for Scotland said:

"I hope this penalty acts as a reminder to all organisations across .... the UK to ensure that the personal information they handle is kept secure."

The ICO's investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date. The council will also update its existing data protection policy to include specific provisions for the handling of personal data by social services staff. Any outgoing letters containing sensitive or confidential data will also be checked by another member of staff before being sent. The council's data protection training scheme will also be improved. 

The ICO is asking the government for stronger powers to audit local councils' data protection compliance, if necessary without consent.  The same powers are sought for NHS bodies across the UK following a series of data protection breaches.