The Information Commissioner’s Office (ICO) has ordered Wolverhampton City Council to provide adequate data protection training for its staff following a series of warnings dating back over two years.
The enforcement action follows an investigation into a data breach at the council, in January 2012. The breach was caused when a social worker, who had not received data protection training, sent out a report to a former service user detailing their time in care. However, the social worker failed to remove highly sensitive information about the recipient’s sister that should not have been included.
In December 2011, just before the breach, the ICO had audited the council. The audit recommended the council introduce a data protection policy, explaining how people’s information should be kept secure. It also recommended the council should provide mandatory staff training so that the policy was followed. The policy was introduced in May 2013 with mandatory training for all staff scheduled to be completed by the end of February this year. However, the ICO has discovered the council has failed to meet this deadline with two thirds of the council’s staff (68pc) still having not undertaken the training. The council must now make sure the training is provided to all staff within 50 days.
ICO Head of Enforcement, Stephen Eckersley, said: “The lack of urgency displayed by Wolverhampton City Council is startling. Over two years ago, we reviewed the council’s practices and highlighted the need for guidance and mandatory training to help its staff keep residents’ information secure.
“Despite numerous warnings the council has failed to act, with over two thirds of its staff still remaining untrained. We have taken positive steps and acted before this situation is allowed to continue any longer and more people’s personal information is lost.”
Meanwhile the ICO has criticised the Student Loans Company Limited after a series of data breaches involving customers’ records. The business reported several incidents where information held about customers, including medical details and a psychological assessment, had been sent to the wrong people. The watchdog found that not enough checks were carried out when documents were being scanned to add to customer accounts, and more sensitive documents actually received fewer checks.
ICO Head of Enforcement, Stephen Eckersley, said: “For the majority of students, the Student Loans Company represents a crucial service that they rely on to fund their studies. Students are obliged to provide personal information to the loans company, both while they receive the loan and in the years when they are paying it back, and they are right to expect that information to be properly looked after.
“Our investigation showed that wasn’t happening. We’ve spoken with the company and made clear that changes need to be made, and a formal undertaking is now in place.”
The Student Loans Company Ltd has signed an undertaking committing the organisation to ensure proper checks are carried out before correspondence is sent out, as well making staff better aware of its data protection policy.
