The Information Commissioner's Office (ICO) today handed out its biggest fine yet, telling Powys County Council to hand over 130,000 for a serious snafu.
The local authority made a major blunder when details of a child protection case were sent to the wrong recipient.
It was believed two pages from one report were mistakenly collected from a printer and mixed up with other papers from a different case. The details were sent out without the council checking the documents.
The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented.
The recipient knew the identities of the parent and the child whose data was included in the documents. That recipient then made a complaint to the council before their mother made a further complaint through her MP.
This is not the first time Powys County Council has made such a notable blunder. In June 2010, the ICO was made aware that the same recipient was mistakenly sent information relating to a vulnerable child.
"It's the most serious case yet and it has attracted a record fine," said assistant commissioner for Wales Anne Jones.
"The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.
"There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems."
On top of the fine, the ICO has served the council with an enforcement notice that legally requires the authority to improve its data protection practices.
All staff at the council must also now be trained on how to handle personal data by 13 March 2012, with a refresher carried out every three years.
The authority revealed disciplinary action had been taken against the member of staff involved in the breach.
"This was a regrettable case of human error and we have apologised to all parties for the distress the disclosure may have caused," said councillor Michael Jones, leader of Powys County Council.
"The council expects staff, particularly those working in sensitive areas, to maintain the highest possible professional standards."
Showing its teeth?
The significant fine comes just a week after the ICO hit two local authorities with monetary penalties. In one fell swoop, the data protection watchdog fined Worcestershire County Council 80,000 and North Somerset Council 60,000.
The ICO had been quiet on the fining front of late, yet its recent actions may go some distance to silencing critics.
During the Leveson inquiry this week, former deputy information commissioner Francis Aldhouse denied claims made by ex-ICO senior investigations officer Alex Owens that Aldhouse had said newspapers were "too big" to take on.
"I don't fear the media," Aldhouse said.
His comments came on the same day that the Leveson inquiry heard a barrister had advised the ICO in 2003 there was a strong case against journalists looking to obtain private data illegally.
The ICO is asking for stronger powers to deal with breaches of the Data Protection Act, including prison sentences for shocking cases.
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
