Midlothian Council was today fined a record amount by the Information Commissioner's Office (ICO) for five separate data handling blunders.
The council mistakenly sent sensitive data relating to children and their carers to the wrong recipients, amounting to "five serious data breaches," the ICO said.
All five occurred between January and June 2011. One saw seven healthcare professionals sent details relating to the status of a foster carer, even though none of them had any reason to see the information.
The serious upset that these breaches would have caused to the children's families is obvious.
Midlothian Council was handed a 140,000 fine and told to improve its practices. The local authority has agreed to update its current data protection policy as well as ensure its records are up to date.
"Information about children's care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed," said Ken Macdonald, assistant commissioner for Scotland.
"The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure."
The ICO is currently looking into a further three cases where confidential data was sent to the wrong recipients.
The council said it accepted the fine after reporting eight cases to the ICO.
"All were human error and a number of staff have been disciplined. All the information was retrieved or destroyed," an official statement read.
"Existing procedures have been further strengthened and an independent expert is to be brought in to ensure the council has done all it can to minimise recurrence."
The record fine marks the first time a Scottish organisation has been handed a monetary penalty by the ICO.
It came almost two months after the ICO told Welsh body Powys County Council to pay out 130,000 after details of a child protection case were sent to the wrong recipient.
At the time, it was a record fine, but that has now been eclipsed by this latest case.
The ICO may get powers to fine companies even more if the European Commission's data protection proposals come into force.
The EC wants to allow data protection regulators to fine companies up to two per cent their global annual turnover if they breach the law.
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Scania admits leak of data after extortion attemptNews Hacker stole 34,000 files from a third-party managed website, trucking company says
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
