The Information Commissioner's Office (ICO) fined Croydon Council in south London £100,000 after papers containing details of a child sex abuse victim were stolen from a pub.
Norfolk County Council was also fined £80,000 for sending details about allegations against a parent and the welfare of their child to the wrong person, taking the total amount of fines handed out by the ICO to more than £1 million.
Stephen Eckersley, the ICO's head of enforcement, said: "We appreciate that people working in roles where they handle sensitive information will - like all of us - sometimes have their bags stolen.
"However, this highly personal information needn't have been compromised at all if Croydon Council had appropriate security measures in place.
"One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient.
"Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training."
He went on: "While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation."
The documents revealing information about the sexual abuse of a child and six other people connected to a court hearing were in an unlocked bag stolen from a social worker in a London pub in April last year, the ICO said.
It has never been recovered and, while data protection guidance was available, the watchdog said "it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood".
In Norfolk, a social worker inadvertently wrote the wrong address on a report and hand-delivered the information to the intended recipient's next-door neighbour in April last year.
"The report contained confidential and highly sensitive personal data about a child's emotional and physical well-being, together with other personal information," the ICO said.
It also emerged that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed.
Croydon Council said it was considering an appeal over the level of the fine, saying it believed it was "an excessive and unjustifiable amount".
"The council is perplexed and frustrated by the commissioner's general criticism of our data
protection and information handling guidance, as many of our internal measures and policies appear to have been disregarded in reaching this judgment," a council spokesman said.
"The council also believes, having taken advice, that the level of fine is wholly disproportionate to the breach.
"This is based on a comparison of fines levied in other data
protection cases, taking into account that this was a single breach, that there has been no complaint by any party, the extent of the procedures we already had in place, and the extensive steps that were taken by the council even before the ICO's ruling.
"We are therefore considering whether there are grounds for appealing against what we believe to be an excessive and unjustifiable amount."
He added that further steps were being taken to prevent a repeat of such an incident in the future, with staff being issued with "special
locks to ensure this material is also secure, even if the bag is stolen".
Mike Jackson, Norfolk County Council's director for environment, transport and development, said: "As soon as we discovered what had happened, we acted to contain the breach and apologised to all of the people concerned.
"We also carried out an investigation into what went wrong and looked at what we could do to further improve practice.
"Although this was a case of human error by a single member of staff, we have since put in place a range of measures to ensure there is
even greater clarity for staff on how to handle personal information."
He added: "Thankfully, data
protection breaches are rare across the organisation, when compared with the many thousands of pieces of personal information staff deal with every day."
Nick Pickles, director of the Big Brother Watch campaign group, said: "How many more people's privacy needs to be compromised before something is done to protect our personal information?
"Fining an entire council is not the same as holding to account the members of staff responsible for these incidents.
"It does little to deter the lax practices and cavalier attitude that is seemingly prevalent across the public sector.
"The Information Commissioner still requires permission to audit local authorities and staff all too often escape with a slap on the wrist.
"It is simply impossible to say our personal information is safe in the hands of too many local authorities."
PA
Comments