ICO hands its biggest ever fine to Welsh council

Data security

The Information Commissioner's Office (ICO) today handed out its biggest fine yet, telling Powys County Council to hand over 130,000 for a serious snafu.

The local authority made a major blunder when details of a child protection case were sent to the wrong recipient.

It was believed two pages from one report were mistakenly collected from a printer and mixed up with other papers from a different case. The details were sent out without the council checking the documents.

The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented.

The recipient knew the identities of the parent and the child whose data was included in the documents. That recipient then made a complaint to the council before their mother made a further complaint through her MP.

This is not the first time Powys County Council has made such a notable blunder. In June 2010, the ICO was made aware that the same recipient was mistakenly sent information relating to a vulnerable child.

"It's the most serious case yet and it has attracted a record fine," said assistant commissioner for Wales Anne Jones.

"The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

"There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems."

On top of the fine, the ICO has served the council with an enforcement notice that legally requires the authority to improve its data protection practices.

All staff at the council must also now be trained on how to handle personal data by 13 March 2012, with a refresher carried out every three years.

The authority revealed disciplinary action had been taken against the member of staff involved in the breach.

"This was a regrettable case of human error and we have apologised to all parties for the distress the disclosure may have caused," said councillor Michael Jones, leader of Powys County Council.

"The council expects staff, particularly those working in sensitive areas, to maintain the highest possible professional standards."

Showing its teeth?

The significant fine comes just a week after the ICO hit two local authorities with monetary penalties. In one fell swoop, the data protection watchdog fined Worcestershire County Council 80,000 and North Somerset Council 60,000.

The ICO had been quiet on the fining front of late, yet its recent actions may go some distance to silencing critics.

During the Leveson inquiry this week, former deputy information commissioner Francis Aldhouse denied claims made by ex-ICO senior investigations officer Alex Owens that Aldhouse had said newspapers were "too big" to take on.

"I don't fear the media," Aldhouse said.

His comments came on the same day that the Leveson inquiry heard a barrister had advised the ICO in 2003 there was a strong case against journalists looking to obtain private data illegally.

The ICO is asking for stronger powers to deal with breaches of the Data Protection Act, including prison sentences for shocking cases.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.