Stoke-on-Trent City Council has been fined £120,000 by the Information Commissioner’s Office (ICO) for breaching the Data Protection Act.
A solicitor that worked within the organisation was found to have sent 11 emails containing information about a child protection law suit to the wrong person, which the ICO considered a “serious breach” of the legislation.
As well as data on the child, the emails – sent on 14 December 2011 – also contained information about the health of two adults and a further two children.
The recipient of the emails was identified but would not respond when asked to delete the offending emails.
It is the second time the council has been taken to task by the ICO, following the loss of a USB stick in 2010 which contained data on childcare cases. At that time it was made to sign an undertaking promising to make improvements to its data security policy.
Further cases where the ICO has resorted to fines
ICO issues first monetary penalty to the NHS
ICO issues £175k penalty against Devon NHS Trust
ICO hits NHS Trust with biggest penalty to date
In its updated guidelines, the council stated all sensitive data should be sent over a secure network or the information itself should be encrypted. In this latest incident, neither precaution was taken nor was the lawyer in question not provided with encryption software.
“If this data had been encrypted then the information would have stayed secure,” said Stephen Eckersley, head of enforcement at the ICO. “Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.”
Stoke-on-Trent City Council now has until the 26 November to pay the fine and must introduce further staff training and technical capabilities to ensure the same mistake doesn’t happen again.