tashka2000 - Fotolia

ICO fines council £70,000 for exposing personal data online

The ICO has issued a monetary penalty to Nottinghamshire County Council for leaving personal information exposed online for five years

An investigation by the Information Commissioner’s Office (ICO) has revealed that Nottinghamshire County Council failed to protect personal data stored in an online database.

The Data Protection Act requires organisations to take appropriate measures to keep personal data secure, especially when dealing with sensitive information.

But Nottinghamshire County Council posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory that did not have basic security or access restrictions such as a username or password, according to the ICO.

The council was alerted by a member of the public who discovered the data using a search engine, and was able to view the data as there were no security controls in place.

The data, which had been accessible for five years, could have been used by criminals to target vulnerable people or their homes, especially as it showed who was still in hospital.

In July 2011, the council launched its Home Care Allocation System (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user.

When the breach was reported in June 2016, the HCAS contained a directory of 81 service users. It is understood the data of 3,000 people had been posted in the five years the system was online.

Although the service users’ names were not included in the exposed data, a determined person would be able to identify them, the ICO found.

Breach of data law

ICO head of enforcement Steve Eckersley said the incident represented a serious and prolonged breach of the law.

“For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available,” he said.

“Organisations need to treat the security of data as seriously as they take the security of their premises or their finances”
Steve Eckersley, ICO

Given the sensitive nature of the personal data and the vulnerability of the people involved, Eckersley said the failure to protect the data was unacceptable and inexcusable.

“Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances,” he said.

The ICO issued a monetary penalty of £70,000 because the council failed to take appropriate technical measures against the unauthorised and unlawful processing of personal data.

The ICO found the incident was also likely to cause substantial distress, but said it had taken into account mitigating factors, including the fact that HCAS was taken offline on 14 June 2016, and that the council had reported the incident to the ICO.

Read more about GDPR

The ICO currently has the power to impose monetary penalties of up to £500,000, but after 25 May 2018 UK organisations could face fines of up to €20m or 4% of global turnover for personal data breaches under the EU’s General Data Protection Regulation (GDPR).

The UK government is also considering plans to introduce new legislation to strengthen data protection, with proposed fines of up to £17m or 4% of global turnover to bring UK data protection law in line with the GDPR to ease data exchanges between the UK and the EU after Brexit.

Read more on Privacy and data protection