A Scottish council has been fined £100,000 after what the data security watchdog terms a serious data breach resulted in sensitive information relating to social services involvement with several individuals being published online. The Information Commissioner’s Office (ICO) has served Aberdeen City Council with a monetary penalty of £100,000. The information included details relating to the care of vulnerable children.
The information was released after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer programme installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences.
The files were uploaded between November 8 and 14, 2011 and remained available online until February 2012 when another member of staff spotted the documents, after carrying out an online search linked to their own name and job title. The council was informed and the original documents were removed, before the incident was reported to the ICO.
The ICO found that the council had no relevant home working policy in place for staff and did not have good enough measures to restrict the downloading of sensitive information from the council’s network.
Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said: “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure. In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months.
“We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working set-up is up to scratch.”
The council is in the processes of agreeing an undertaking with the ICO, which commits the organisation to improving compliance with the Data Protection Act.
