Information Commissioner slams councils after four data breaches

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.computerworlduk.com/news/public-sector/3417022/information-commissioner-slams-councils-after-four-data-breaches/

Four local councils have been fined a total of over £300,000 for
serious data breaches by the Information Commissioner, who has
criticised local government’s attitude towards protecting personal
data.

Leeds City Council was fined £95,000, Plymouth City Council £60,000
and Devon County Council £90,000 after separate incidents saw details
of child care cases sent to the wrong recipients. And the London
Borough of Lewisham was issued with a penalty of £70,000 after social
work papers were left on a train.

The Information Commissioner said the latest penalties mean that
nineteen local councils have now received monetary penalties for
breaching the Data Protection Act, totalling £1,885,000.

The case in Leeds saw sensitive personal details about a child in care
sent to the wrong person, revealing details of a criminal offence,
school attendance and information about the child’s relationship with
their mother.

When sending internal mail, the council re-uses envelopes that have
been used for external mail. But in this case the external address
wasn’t crossed out, and so the sensitive file was posted outside the
council to someone who had nothing to do with this case.

The breach at Plymouth City Council followed a similar pattern, with
information passed to the wrong recipient including highly sensitive
personal information about two parents and four children, notably
allegations of child neglect relating to ongoing care proceedings.

The breach occurred when two reports about separate child neglect
cases were sent to the same shared printer. Three pages from the first
report were mistakenly collected with the papers from the second case,
and so were handed to the wrong family.

In Devon, a social worker used a previous case as a template for an
adoption panel report they were writing, but a copy of the old report
was sent out instead of the new one.

The mistake revealed personal data of 22 people, including details of
alleged criminal offences and mental and physical health.

In Lewisham, a social worker left sensitive documents in a plastic
shopping bag on a train after taking them home to work on. The files,
which were later recovered from the rail company’s lost property
office, included GP and police reports and allegations of sexual abuse
and neglect.

Information Commissioner Christopher Graham said, “It would be far too
easy to consider these breaches as simple human error. The reality is
that they are caused by councils treating sensitive personal data in
the same routine way they would deal with more general correspondence.

"Far too often in these cases the councils do not appear to have
acknowledged that the data they are handling is about real people, and
often the more vulnerable members of society."

He said: "there is clearly an underlying problem with data protection
in local government". Graham said he would be meeting with
stakeholders from across the sector to discuss how they can address
the problems.

The Information Commissioner's Office is pressing the Ministry of
Justice for stronger powers to audit local councils’ data protection
compliance, and if necessary without consent.  The same powers are
being sought for NHS bodies across the UK following a series of data
protection breaches in the health sector .
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.