IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ICO issues more council fines

But some call into question severity of penalty for mistakenly emailed personal data.

data protection

The Information Commissioner's Office (ICO) has served monetary penalties to two local councils.

The data watchdog said yesterday it had fined Worcestershire County Council of 80,000 and North Somerset Council 60,000 for serious breaches of the Data Protection Act.

Information Commissioner, Christopher Graham, said: "I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously and so should you."

The Worcestershire County Council incident took place this March, where a member of staff emailed highly sensitive personal information about a large number of vulnerable people to 23 unintended recipients. The error occurred when the employee clicked on an additional contact list before sending the email, which had only been intended for internal use.

The ICO found Worcestershire had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

Worcestershire told the ICO that as soon as the breach occurred the council employee immediately realised their error and attempted to contact all of the unintended recipients to ensure that the information was deleted.

A North Somerset Council employee sent five emails between November and December 2010, two of which contained highly sensitive and confidential information about a child's serious case review, to the wrong NHS employee when creating a personal distribution list.

Despite the fact that the council employee was told about the error by the unintended recipient shortly after the first incident took place, information was emailed to the same NHS employee on a further three occasions before the breach was raised at a senior level.

The ICO said two of the council's assistant directors highlighted the issue with the employee on 9 December, but a fifth and final incident took place later that same day. The NHS organisation verbally confirmed to North Somerset Council that it destroyed the emails after their own internal investigation was complete.

The watchdog added that, although North Somerset Council had some policies and procedures in place, it had failed to ensure that relevant staff received appropriate data protection training. It has also recommended the council adopts a more secure means to send information electronically, including encryption and ensuring that managers sign off email distribution lists.

These were the seventh and eighth monetary penalty notices issued by the ICO, having only recently asked the government for more power to levy larger penalties.

Grant Taylor, vice president of the IT threat mitigation specialist Cryptzone, said he understood why the ICO deems it necessary to impose the fines, but questioned why the breaches happened in the first place.

"While assisting staff with the correct training and having the right security policies in place is clearly a given, protecting data in the public sector is also about using some common sense," Taylor said.

"Considering whether open or secure email is the appropriate communications medium, checking and double checking that the right recipients will receive the information and measures like encryption and data minimisation should be routine in all aspects of local government interactions," he added.

Featured Resources

ZTNA vs on-premises VPN

How ZTNA wins the network security game

Free Download

The global use of collaboration solutions in hybrid working environments

How companies manage security risks

Free Download

How to build a cyber-resilient business ready to innovate and thrive

Outperform your peers in your successful business outcomes

Free Download

Accelerating your IT transformation

How Cloudflare is innovating for CIOs to start 2023

Watch now


ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties
Policy & legislation

ICO: The public sector isn’t getting 'an easier ride' with GDPR penalties

23 Nov 2022
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022

Most Popular

Tech pioneers call for six-month pause of "out-of-control" AI development
artificial intelligence (AI)

Tech pioneers call for six-month pause of "out-of-control" AI development

29 Mar 2023
3CX CEO confirms supply chain malware attack

3CX CEO confirms supply chain malware attack

30 Mar 2023
Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023