Council apologises over breach

A SERIOUS data breach which led to sensitive information being emailed to the wrong people has led to Worcestershire County Council being fined £80,000 by the Information Commissioner’s Office.

The breach occurred in March this year when a staff member accidentally clicked on an additional contact list and sent an email intended for internal use containing sensitive information about a large group of vulnerable people to 23 care providers including fostering organisations and schools.

The staff member realised her mistake immediately and attempted to recall the emails as well as phoning the unintended recipients to ask them to delete the original email.
Fortunately as the recipients were used to dealing with sensitive information, 21 of the 23 emails were deleted while one was undeliverable and one was no longer used.

While Information Commissioner Christopher Graham recognised the staff member and council had taken action to try and rectify the situation, he concluded there had been a serious breach of data protection and measures taken to prevent such a breach were not appropriate considering the impact it could have.

The commissioner described it as ‘fortuitous’ the email had gone to recipients bound by confidentiality clauses. He was particularly critical of a lack of training for staff, the failure to differentiate between internal and external addresses in the central and local email distribution lists and failure to hold the information in a secure system that could only be accessed by staff who need to see it.

“There is too much of this sort of thing going on across local government,” Mr Graham said.

“People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

A spokeswoman for the county council said they accepted the ICO’s findings and called the incident regrettable adding they were very sorry.

“We are a large, people-based organisation and this means sometimes, through human error, mistakes are made. It is important on the occasions when we do fall below standards, improvements are made to minimise the chance of future mistakes and rigorous new processes have been up-and-running since this unfortunate incident.”