ICO reprimands Nottinghamshire County Council for failure to redact sensitive information
Published: November 22nd, 2023
7 min read
Recently, the Information Commissioner's Office (ICO) announced its decision to reprimand Nottinghamshire County Council (the Council), for failure to redact sensitive information held within a Child and Family Assessment report, which are used to assess the needs of vulnerable children in situations where there are concerns about the ability of parents/ guardians to meet those needs.
Background
The Council's social work team completed a Child and Family Assessment (CFA) in relation to the wellbeing of two children in Nottinghamshire. A social worker then sent copies of a CFA report to the mother of the children and her two ex-partners, each being the father of one of the two children. Given the nature of the assessments, personal data included in CFA reports can often be of a highly sensitive nature, making it likely that individuals could be subjected to a risk of harm if their information were to be inadvertently disclosed and/or have their data protection rights otherwise breached.
In this case, the CFA report contained information relating to previous instances of domestic abuse against the mother and two children, which through the social workers disclosure, created an unsafe situation between the parties and put the mother and two children at risk of physical harm.
Findings
Following its investigation, the ICO identified that the Council failed to put in place appropriate technical and organisational measures to ensure an acceptable level of security proportionate to the sensitivity of the information, thus breaching the following provision of the UK GDPR:
Article 32(1) - security of personal data.
In providing reasons for its decision, the ICO explained that the Council had implemented a procedure, whereby CFA's were to be signed by a team manager prior to disclosure. Through human error, there was an initial failure to redact sensitive information. Notwithstanding this, the report was still then signed off by a manager and distributed to the parties. As a result, it was determined that the procedure adopted by the Council was not robust enough to manage instances of human error.
Furthermore, the ICO identified that Council staff were not provided with a sufficient level of training and guidance as to the risks/ damage that can be caused as a result of accidental disclosure of sensitive information.
Finally, the ICO understood there to have been 16 similar incidents at the Council in the previous two years, stemming from a failure to properly redact sensitive data, a number of which resulted in safeguarding concerns being raised.
The reprimand
In providing its recommendations, the ICO acknowledged that the Council had taken a number of steps to remedy the situation in light of the incident. Most significantly, the Council has now adopted a detailed guidance document and procedure relating to redaction and disclosure.
Notwithstanding these actions, the ICO decided to issue a formal reprimand to the Council in respect of the identified infringements of Article 32(1) of the UK GDPR.
Consequences of a Reprimand
A reprimand is issued by the ICO under Article 58(2) UK GDPR following an investigation where the ICO considers an organisation has not complied with the UK GDPR. They may be issued by the ICO where it has found a breach of the UK GDPR but the breach is not serious enough to attract a fine. They are also commonly issued against public sector organisations in the alternative to issuing a fine which would have to be paid for out of public funds.
From December 2022, the ICO announced it would publish details of reprimands on its website. Therefore, despite avoiding a fine, organisations may now face additional scrutiny and reputational damage as a result of a reprimand being issued. An organisation may also find the reprimand being used as evidence in claims for compensation for a data breach.
Conclusion
Through this reprimand and given the nature of the information they hold, Registered Providers (RP) are reminded of the importance of ensuring the security of sensitive data, reinforced through clear, robust policies. For example, RPs who receive Subject Access Requests from individuals and third parties for copies of sensitive information should provide extra care when redacting that information, to prevent a risk of harm developing against individuals. Organisations that fail to exercise proper caution, not only risk repercussive action from the ICO but also risk putting their data subjects in serious harm, as was unfortunately considered to be the case on this occasion for the Council.
Where RPs are concerned about their ability to disclose sensitive information and/or the level of redaction they should be applying, our recommendation is that further advice prior to any disclosure.
For further information please contact Laura Rae