Surrey County Council fined £120,000 for misdirected e-mails

Surrey County Council has been hit with a £120,000 fine for breaching the Data Protection Act.

Surrey County Council has been hit with a £120,000 fine for breaching the Data Protection Act.

The Information Commissioner's Office (ICO) fined the council after it sent sensitive information to incorrect e-mail addresses on three separate occasions.

In one of these instances the health and welfare information of 241 people was sent to the wrong recipients in an unencrypted e-mail. The second misdirected e-mail involved the personal data of a number of individuals being mistakenly e-mailed to more than 100 recipients. The third involved the council's Children Services department mistakenly sending out confidential information on an individual.

Surrey is now the fourth council to be fined for breaching the Data Protection Act since the ICO's powers were extended last April. It is also the body to have received the largest penalty to date. Hertfordshire Country Council and Ealing and Hounslow Councils have also received fines.

UK Information Commissioner Christopher Graham said: "Surrey County Council has paid the price for its failings and this case should act as a warning to others that lax data protection practices will not be tolerated."

Surrey County Council's fine follows recent criticism of the ICO that it has not sufficiently exercised its powers to issue monetary penalties, having punished just 1% of breaches in this way.

Surrey says it has now taken action to improve its policies on information security.



Photo: Thinkstock Images

Read more on IT risk management