Norfolk and Croydon fined for data breaches
Lauren Higgs
Tuesday, February 14, 2012
Croydon Council has been hit with a 100,000 fine from the information commissioner after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub.
Meanwhile, Norfolk County Council has been served with an £80,000 penalty for disclosing details of a child protection case to the next-door neighbour of the family concerned.
The Croydon Council incident, which happened in April 2011, occurred when an unlocked bag belonging to a social worker was stolen from a London pub.
The social worker was taking papers home to use at a meeting the following day, including information about the sexual abuse of a child and six other people connected to a court hearing. The bag and its contents have never been recovered.
The Norfolk County Council security breach, which also happened in April 2011, came about when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next-door neighbour.
The report contained confidential and highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information and allegations against the parent.
The Information Commissioner’s Office (ICO) investigation found that while Croydon Council did have data protection guidance in place at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood.
The ICO’s investigation into Norfolk found that the social worker had not completed mandatory data protection training, nor did the council have a peer-checking process to make sure that sensitive information was being sent to the correct recipient.
Stephen Eckersley, head of enforcement at the ICO, said that both councils acted swiftly to inform the people involved and have since taken action to prevent a repeat of the incidents.
But he warned that their remedial action "does not excuse the fact that vulnerable children and their families should never have been put in this situation".
"We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen," he said. "However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.
"One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training."
