A series of blunders: Social worker left papers containing sexual abuse allegations in plastic bag on train


Jamie Grierson
Monday 17 December 2012 18:03

A social worker left papers containing sexual abuse allegations in a plastic bag on a train in one of a series of blunders that saw fines for data breaches at councils hit £1.9 million.

London Borough of Lewisham was fined £70,000 for the breach, while Plymouth City Council has been hit with a £60,000 penalty for a separate incident, the Information Commissioner's Office (ICO) said.

Elsewhere, Leeds City Council was fined £95,000 and Devon County Council was hit with a £90,000 penalty bringing the total number of councils charged for Data Protection Act breaches to 19.

Information Commissioner Christopher Graham said: "It would be far too easy to consider these breaches as simple human error.

"The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence."

In Lewisham, a social worker left sensitive documents in a plastic shopping bag on a train after taking them home to work on.

The files, which were later recovered from the rail company's lost property office, included GP and police reports and allegations of sexual abuse and neglect.

The case in Leeds saw sensitive personal details about a child in care sent to the wrong person, disclosing details of a criminal offence and school attendance.

When sending internal mail, the council re-use envelopes that have been used for external mail - in this case the external address was not crossed out.

The breach at Plymouth City Council saw information passed to the wrong recipient including highly sensitive personal information about two parents and four children.

The breach occurred when two reports about separate child neglect cases were sent to the same shared printer.

And in Devon, a social worker used a previous case as a template for an adoption panel report they were writing, but a copy of the old report was sent out instead of the new one.

The mistake disclosed personal data of 22 people, including details of alleged criminal offences and mental and physical health.

Sir Christopher went on: "Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.

"The distress that these incidents would have caused to the people involved is obvious."

The ICO said it was pressing the Ministry of Justice for stronger powers to audit local councils' data protection compliance, if necessary without consent.

Tom Riordan, chief executive of Leeds City Council, said: "We take our data protection responsibilities seriously and regard any breach as unacceptable.

"We accept the findings of the Information Commissioner and although we have already apologised to the individual affected, we would like to take this opportunity to do so again.

"The incident happened over a year ago and we acted swiftly at the time to recover the data and put robust new systems in place to minimise the risk of this happening again."

Devon County Council said it had started mandatory data protection training for its staff.

It said: "It was a mistake that simply shouldn't have happened, and we've apologised.

"We take our duties regarding data protection extremely seriously and have a good track record in this respect."

A spokeswoman for Plymouth City Council said: "Practical steps to prevent a similar situation happening again were taken, including secure pin printing so that reports are only printed when staff activate the printer with their code, which reduces the risk of papers being mixed up.

"Extra checks before sensitive documents are dispatched from the office are also being devised.

"Children's social care have reinforced to all managers and staff that all employees have personal responsibility for the confidentiality of client information and the security of documents."

A Lewisham Council spokesman said: "We totally accept the findings of the Information Commissioner and very much regret that a member of staff, who is no longer with the council, potentially put confidential information into the public domain.

"Since this breach occurred, we have taken steps to make sure all staff who work with this type of confidential information are fully aware of their responsibilities and the need to comply with council practice and security measures.

"As part of this process, we have provided staff with further training and support."