A county council which left files that included sensitive information about children in a cabinet sent to a second hand shop has been fined £60,000 by the Information Commissioner’s Office (ICO). The breach by Norfolk County Council came to light after social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop. The case files included information relating to seven children.
Steve Eckersley, ICO Head of Enforcement, said: “The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal. Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
The data protection regulator adds that having the appropriate staff and procedures in place is key to ensuring councils look after personal information properly. This will be crucial when a new data protection law, arising from the European Union’s General Data Protection Regulation (GDPR) – setting standards for privacy of personal data – comes into force from May 2018.
Comment
Tony Pepper, co-founder and CEO of Egress, says: “With budget cuts forcing local authorities to up sticks and relocate, the likelihood of more confidential files going missing is extremely high. In cases like this, where sensitive information about children is at stake, it’s crucial that councils do everything they can to meet the high data protection standards expected of them.
“Technology has an important role to play, particularly as authorities look to transform government services through digitalisation of data and process, but this case also highlights the crucial role staff play in protecting sensitive information. With ‘accidental loss’ contributing nearly half of all records breached in 2016, organisations must look to better support their staff by delivering training and defined process, alongside data security technology that can apply protection to data when required.”
