The Information Commissioner's Office (ICO) today handed out its biggest fine yet, telling Powys County Council to hand over 130,000 for a serious snafu.
The local authority made a major blunder when details of a child protection case were sent to the wrong recipient.
It was believed two pages from one report were mistakenly collected from a printer and mixed up with other papers from a different case. The details were sent out without the council checking the documents.
The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented.
The recipient knew the identities of the parent and the child whose data was included in the documents. That recipient then made a complaint to the council before their mother made a further complaint through her MP.
This is not the first time Powys County Council has made such a notable blunder. In June 2010, the ICO was made aware that the same recipient was mistakenly sent information relating to a vulnerable child.
"It's the most serious case yet and it has attracted a record fine," said assistant commissioner for Wales Anne Jones.
"The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.
"There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems."
On top of the fine, the ICO has served the council with an enforcement notice that legally requires the authority to improve its data protection practices.
All staff at the council must also now be trained on how to handle personal data by 13 March 2012, with a refresher carried out every three years.
The authority revealed disciplinary action had been taken against the member of staff involved in the breach.
"This was a regrettable case of human error and we have apologised to all parties for the distress the disclosure may have caused," said councillor Michael Jones, leader of Powys County Council.
"The council expects staff, particularly those working in sensitive areas, to maintain the highest possible professional standards."
Showing its teeth?
The significant fine comes just a week after the ICO hit two local authorities with monetary penalties. In one fell swoop, the data protection watchdog fined Worcestershire County Council 80,000 and North Somerset Council 60,000.
The ICO had been quiet on the fining front of late, yet its recent actions may go some distance to silencing critics.
During the Leveson inquiry this week, former deputy information commissioner Francis Aldhouse denied claims made by ex-ICO senior investigations officer Alex Owens that Aldhouse had said newspapers were "too big" to take on.
"I don't fear the media," Aldhouse said.
His comments came on the same day that the Leveson inquiry heard a barrister had advised the ICO in 2003 there was a strong case against journalists looking to obtain private data illegally.
The ICO is asking for stronger powers to deal with breaches of the Data Protection Act, including prison sentences for shocking cases.
-
Dell Technologies Global Partner Summit 2025 – all the news and updates live from Las VegasKeep up to date with all the news and announcements from the annual Dell Technologies Global Partner Summit in Las Vegas
-
Jensen Huang joins Dell Technologies World virtually to talk servers and AI factoriesNvidia CEO virtually joined Michael Dell for the opening keynote of the 2025 conference to talk through a host of AI and server announcements
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
