DPC logo

Data protection audit and avice

.
Homepage About us Your risk Our services News Contact us Call Data Protection Consultancy
.
 
The latest news on Data Protection Act breaches, data security risks, forthcoming legislation and requirements:

LOCAL AUTHORITIES
 

How we can help

Your organisation could benefit from our expertise in the following broad areas:

  • Audits, health-checks & risk analysis
  • Compliance support
  • Policy-checking & authoring
  • Advice & support
  • Development & training.

Of course, there are other benefits, too:

  • You can breathe a big sigh of relief
  • You may not need to employ your own people to look after data protection
  • There are genuine business benefits in getting your data protection right.
   
.  

Aberdeen City Council fined £100,000 for security failings

30 August 2013— The ICO has fined Aberdeen City Council £100,000 after sensitive information relating to Social-Services involvement with several individuals was published online, including details relating to the care of vulnerable children. It happened when a council employee accessed documents from her home computer: a file transfer program automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences. The files remained available online for 3 months. An ICO investigation found that the council had no relevant home-working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network. Read more…

Glasgow Council fined £150,000 after theft of 2 unencrypted laptops

7 June 2013— In 2010, the council was issued with an enforcement notice after an unencrypted memory stick was lost. Now, Glasgow City Council has been fined £150,000 following the theft of 2 unencrypted laptops from the council’s offices, one of which contained the council’s creditor payment-history file, listing the personal information of 20,143 people, including 6,069 individuals’ bank-account details. A further 74 unencrypted laptops remain unaccounted for, with at least 6 of these known to have been stolen. The ICO’s Assistant Commissioner for Scotland said that the return of these poor practices shows a flagrant disregard for the law and the people of Glasgow. Read more…

Council fined for releasing adoptive family's details to birth mother

5 June 2013—Halton Borough Council in Cheshire has been fined £70,000 after a council employee sent a letter about an adopted child to the birth mother last year, and mistakenly included a covering letter giving details of the adoptive parents’ home address. The birth mother passed this information to her parents, who then wrote to the adoptive parents seeking contact. Read more…

Underlying problem in local government - ICO, as 4 councils fined

17 December 2012—"There is an underlying problem with data protection in local government”, according to the Information Commissioner as 4 local councils are fined. To date, 19 local councils have been fined a total of £1,885,000 for breaching the Data Protection Act. Read full story...

  • Leeds City Council was fined £95,000 after personal details about a child in care were sent to the wrong person (revealing details of a criminal offence, school attendance and information about the child’s relationship with its mother).
  • Plymouth City Council was fined £60,000 when information was passed to the wrong recipient, including highly sensitive personal information about allegations of child neglect (the breach occurred when two reports about separate child neglect cases were sent to the same shared printer. Three pages from the first report were mistakenly collected with the papers from the second case, and so were handed to the wrong family).
  • Devon County Council was fined £90,000 after separate incidents saw details of child care cases sent to the wrong recipients.
  • London Borough of Lewisham was fined £70,000 after social-work papers were left on a train.

Stoke-on-Trent City Council fined £120,000

25 October 2012—Stoke-on-Trent City Council emailed sensitive information about a child-protection legal case to the wrong person. If the data had been encrypted, it would have remained secure — so the authority has received a significant penalty for failing to adopt a simple and widely used security measure. In December 2011, 11 emails were sent by a solicitor at the authority to the wrong address. The emails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The emails should have been sent to counsel instructed on a child protection case. Read full story...

Local authority fined a hefty quarter of a million

11 Sept 2012—Scottish Borders Council has been fined £250,000 by the ICO after former employees’ pension records were found in an over-filled paper-recycling bank in a supermarket car park. The local authority had employed an outside company to digitise the records, but failed to seek appropriate guarantees on how the personal data would be kept secure. Scottish Borders Council had not put a contract in place with the third-party processor, sought no guarantees over their technical or organisational security, and did not make sufficient attempts to monitor how the data was being handled. Over 600 files were deposited at the recycling bins, containing confidential information and, in a significant number of cases, salary and bank account details. Read full story...

Telford & Wrekin Council fined £90,000

6 June 2012—Telford & Wrekin Council has been fined £90,000 for a breach of the Data Protection Act (DPA) for disclosing confidential and sensitive personal data relating to four vulnerable children, following two similar data breaches. One of those occurred when a staff member sent the Social Care Core Assessment of one child to a sibling instead of their mother; the second concerned the inclusion of the names and addresses of the foster-care placements of two young children in their placement information record (which was shown to the children’s mother, who noticed the foster carers’ address). Read full story...

London borough fined £70,000 after losing sensitive data

16 May 2012—The London Borough of Barnet has been issued with a penalty of £70,000 after losing paper records containing highly sensitive and confidential information, including the names, addresses, dates of birth and details of the sexual activities of 15 vulnerable children or young people. The loss occurred when a social worker took the paper records home to work on them out of hours. The social worker’s home was burgled in April last year, and a laptop bag, containing the records and an encrypted computer, was stolen. Read full story...

Leicestershire County Council in data breach after briefcase theft

17 April 2012—Leicestershire County Council has been found in breach ofthe Data Protection Act following the theft of a briefcase containing sensitive personal data from a social worker’s home during a burglary. It contained the sensitive personal data of 18 individuals, outlining details of neglect and requesting the removal of children from their parents’ care. The social worker had asked for permission to take the reports home in order to continue work on them, and this was authorised by the relevant manager, in accordance with the council’s procedures. At the time, the employee’s manager had received the relevant training, but the social worker had not. The authority had a policy in place but this didn’t relate to the handling of paper documents while working from home. Read full story...

Cheshire East Council fined £80k for lax security on emails

15 February 2012—Cheshire East Council has been fined £80,000 for failing to ensure the security and appropriateness of disclosure when emailing personal information. Read full story...

Croydon & Norfolk councils fined for serious data breaches

13 February 2012—The ICO has issued fines totalling £180,000 to Croydon Council and Norfolk County Council for failing to keep highly sensitive information about the welfare of children secure. Croydon Council was fined after a bag containing papers relating to the care of a child-sex-abuse victim was stolen from a London pub. Norfolk was fined £80,000 for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient. Read full story...

Midlothian Council fined £140,000

30 January 2012—The ICO has imposed a monetary penalty of £140,000 on Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five separate occasions. The penalty is the first that the ICO has served against an organisation in Scotland. Read full story...

Council fined £130,000 for disclosing child protection case details

6 December 2011—The ICO has fined Powys County Council £130,000 for a serious breach of the Data Protection Act, where the details of a child protection case were sent to the wrong recipient. The penalty is the highest that the ICO has served. The breach occurred when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. Read full story…

Councils fined for serious email errors

28 November 2011—The ICO has served monetary penalties to North Somerset Council and Worcestershire County Council after staff at both authorities sent highly sensitive personal information to the wrong recipients. The news comes as the Information Commissioner is pressing for stronger powers to audit data protection compliance across local government and the NHS. Read full story…

132 councils lost data in past 3 years

23 November 2011—Some councils are a showing ‘shockingly lax attitude’ to protecting confidential data, according to a report which has found 1,035 cases of personal data loss by 132 councils between August 2008 and August 2011. Read full story…

Council lost memory stick containing 18,000 residents’ details

3 November 2011—Rochdale Metropolitan Borough Council has breached the Data Protection Act by losing an unencrypted memory stick containing the details of over 18,000 residents. The memory stick has not been recovered, and the ICO found that the council’s data protection practices were insufficient—specifically that it failed to make sure that memory sticks provided to its staff were encrypted. Read full story…

Youth Offending Team found in breach after laptop stolen

28 October 2011—Newcastle Youth Offending Team breached the Data Protection Act by failing to encrypt a laptop containing the personal data of 100 young people, which was later stolen from a contractor’s home. The contractor had been working on a youth inclusion programme on behalf of the team. Read full story…

Compulsory audits are on the cards

13 October 2011—The ICO has said powers are needed to conduct compulsory data protection audits in local government, the health service and the private sector, because the ICO is being blocked from auditing organisations in sectors which are causing concern over their handling of personal information. At present, only central government departments are subject to compulsory data protection audits. Read full story…

Walsall residents’ details dumped in skip

9 September 2011—Walsall Council breached the Data Protection Act by accidentally dumping hundreds of local residents’ postal vote statements in a skip. The statements were disposed of by an external contractor on the council’s behalf, and included people’s names, addresses, dates of birth and signatures. The ICO found that the council did not have a contract in place with the organisation processing this personal information. The council also failed to provide their contractor with instructions on how the information should be kept secure, as required under the act. Read full story…

ICO issues monetary penalty over misdirected emails

9 June 2011—Surrey County Council must pay £120,000 after sensitive personal information was emailed to the wrong recipients on three separate occasions, detailing the health and welfare of 241 vulnerable individuals. The penalty recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information. The council has taken action to improve its policies on information security, including developing of an early-warning system which alerts staff when sensitive information is being sent to an external email address. The council has also improved the training it provides to its staff and will ensure that any group email addresses are clearly identifiable. Read full story...

Sensitive information stolen from council worker’s unlocked bag

8 June 2011—North Lanarkshire Council breached the Data Protection Act when a home support worker’s bag was stolen. The unlocked bag contained the worker’s visiting schedule for the next two days as well as information about the mental or physical health of 6 vulnerable adults. The ICO’s enquiries found that the guidance provided by the council to its home support workers on the storage and disposal of personal information outside of the office was inadequate. Read full story...

 
       
.

© Data Protection Consultancy Ltd, 29 Shadwell Lane, Leeds LS17 6DP

  Privacy

 

Home