The Information Commissioner's Office (ICO) has issued a 100,000 fine to Aberdeen City Council after it was discovered that an employee had posted confidential information relating to the care of vulnerable children online.
The employee in question accessed council documents related to care, including detailed reports and meeting minutes, from her home PC. On accessing the information, it was then automatically uploaded to a website by a file transfer programme installed on her computer. This exposed information about a number of vulnerable children and their relatives, as well as details regarding alleged criminal offences.
As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.
These sensitive files were uploaded between 8 and 14 November 2011 and remained online until 15 February 2012 when they were spotted by another staff member.
Once the council had been alerted, the data was removed and the incident reported to the ICO. Following an ICO investigation, it was discovered the council was unable to restrict the downloading of such sensitive material from employees outside of the office. Furthermore, it did not have a relevant home working policy to prevent this and other issues from arising.
"As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," said Ken Macdonald, Assistant Commissioner for Scotland at the ICO.
"In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council's existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months."
Aberdeen City Council will work with the ICO and agree on how it can ensure compliance with the Data Protection Act going forward.
"We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch," Macdonald concluded.
Last month, the ICO issued a 200,000 fine to now-defunct NHS Surrey after almost 3,000 patient records were discovered on a machine bought online.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
