ICO takes two further Councils to task over Data Breaches

The Information Commissioner has recently required undertakings from two local authorities for data breaches.

Two points of note arise.

Firstly, it appears that the punishment handed down to an authority who self- reports   a disclosure incident, rather than being found out, is likely to be reparatory rather than punitive.

Secondly, the circumstances of the breaches provide salutary lessons.

Wokingham Council sent sensitive Social Services documents to an address via a Courier. However the Courier was not advised of the sensitive nature of the documentation, and so, upon finding that the intended recipient, was not in, he left the package on the doorstep , from where it was later taken by persons unknown.

We suspect that many local authorities have employed a courier service to transport sensitive data, assuming the service offered to be secure, so  what should the local authority have done to protect themselves further?

The ICO felt that to place the sensitive data into the hands of the Courier, without further instruction, was unwise. Whilst one would hope that most Couriers would not leave a package  on  a doorstep, it is conceivable, following a failed delivery, that they would dump a package at a insecure depot over night or over a weekend.

The likelihood of papers going astray, once out of an Authority’s control is such that we would advise all local authorities to employ only approved couriers and to agree with them, before release of the data, a protocol setting out their expectations.

Wirral Council mistakenly sent sensitive Social Services documents, containing details of criminal convictions, to the wrong address, twice. This combined with three other disclosed incidents resulted in the ICO requiring an undertaking from Wirral to ensure all staff had DPA training by the end of June.

Kella Bowers

About Kella Bowers

Partner in the Insurance department
This entry was posted in Abuse, Education Law, Emergency Services, Employers liability, Litigation, Public liability, Social services.

Leave a Reply

Your email address will not be published. Required fields are marked *