The Information Commissioner’s Office (ICO) has ordered the Council of the Isle of Scilly to implement new data protection policies and training after two data breaches involving the disclosure of personal data.
The first breach occurred in June 2013 when an attachment inadvertently included in an email revealed personal data related to a disciplinary hearing. A further incident in September 2013 involved two documents containing sensitive personal data, ending up in public circulation. Poor data sharing, including staff using personal email accounts and paper documents not being properly redacted meant details of an investigation into the conduct of a former head teacher were disclosed publicly.
ICO Head of Enforcement, Stephen Eckersley, said: “Personal data must be handled securely and safely. The council has failed to do so and must now make immediate changes.
“The people of the Isles of Scilly need to be confident their council understands and complies with the law. Our undertaking will help ensure they do so.”
The council has agreed to implement mandatory data protection training, with refresher training to be updated regularly. They must also draft appropriate guidance on the safe transfer of personal data by email and consider the use of encryption. The council must also draft a redaction policy.
