Scottish council slapped with record ICO fine

Data protection

Midlothian Council was today fined a record amount by the Information Commissioner's Office (ICO) for five separate data handling blunders.

The council mistakenly sent sensitive data relating to children and their carers to the wrong recipients, amounting to "five serious data breaches," the ICO said.

All five occurred between January and June 2011. One saw seven healthcare professionals sent details relating to the status of a foster carer, even though none of them had any reason to see the information.

The serious upset that these breaches would have caused to the children's families is obvious.

Midlothian Council was handed a 140,000 fine and told to improve its practices. The local authority has agreed to update its current data protection policy as well as ensure its records are up to date.

"Information about children's care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed," said Ken Macdonald, assistant commissioner for Scotland.

"The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure."

The ICO is currently looking into a further three cases where confidential data was sent to the wrong recipients.

The council said it accepted the fine after reporting eight cases to the ICO.

"All were human error and a number of staff have been disciplined. All the information was retrieved or destroyed," an official statement read.

"Existing procedures have been further strengthened and an independent expert is to be brought in to ensure the council has done all it can to minimise recurrence."

The record fine marks the first time a Scottish organisation has been handed a monetary penalty by the ICO.

It came almost two months after the ICO told Welsh body Powys County Council to pay out 130,000 after details of a child protection case were sent to the wrong recipient.

At the time, it was a record fine, but that has now been eclipsed by this latest case.

The ICO may get powers to fine companies even more if the European Commission's data protection proposals come into force.

The EC wants to allow data protection regulators to fine companies up to two per cent their global annual turnover if they breach the law.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.