Aberdeen City Council gets £100,000 penalty for IT security failings

The ICO has served Aberdeen City Council with a monetary penalty of £100,000 for publishing vulnerable children’s details online

The Information Commissioner’s Office (ICO) has served Aberdeen City Council with a monetary penalty of £100,000 for inadvertently publishing vulnerable children’s details online.

The ICO said information included details relating to the care of vulnerable children by social services.

The information was released after a council employee accessed council documents, including meeting minutes and detailed reports, from a home computer.

A file transfer program on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families.

The files were uploaded between 8 and 14 November 2011. They remained online until 15 February 2012 when another member of staff spotted the documents after carrying out an online search linked to their ownname and job title.

The council was informed and the original documents were removed, before the incident was reported to the ICO. 

The ICO’s investigation found that the council had no relevant home working policy in place for staff and did not have sufficient measures to restrict the downloading of sensitive information from the council’s network.

Ken Macdonald, assistant commissioner for Scotland at the ICO, said that as more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.

“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information,” he said.

The council also had no checks in place to see whether existing data protection guidance was being followed.

“The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months,” said Macdonald.

“We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch,” he said.

The council is currently in the processes of agreeing an undertaking with the ICO, which commits the organisation to improving its compliance with the Data Protection Act. 

Read more on ICO penalties

Read more on Privacy and data protection