Stoke council fined £120k after child data breach
25 October 2012
Stoke-on-Trent City Council has been hit with a major fine after sensitive information on a child protection case was emailed to the wrong person, the Information Commissioner's Office has confirmed.
The ICO, which can fine up to £500,000 for serious breaches of the Data Protection Act, said the £120,000 fine issued to Stoke council reflected the fact it had not resolved issues after an earlier breach of a similar nature.
The latest breach happened in December 2011 when 11 emails were sent by a solicitor at the authority to the wrong address. The watchdog found that highly sensitive information on the care of a child was involved as well as further information on the health of two adults and two other children.
The authority's guidance, which was breached by the solicitor, had stated sensitive data needed to be encrypted or sent over a secure network.
But the council failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. A lack of data protection training was also identified by the ICO.
"If this data had been encrypted then the information would have stayed secure," said Stephen Eckersley, head of enforcement at the ICO.
"Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure."
Eckersley added that it was "particularly worrying" that "similar concerns around encryption at the authority" were identified in a 2010 breach
but were not "properly resolved".
After the earlier incident the council had committed to improving data security measures after sensitive data relating to 40 children in childcare was lost after being stored on an unencrypted memory stick.
In a statement today Stoke council said it had recently taken "proactive extra measures" to ensure data breaches became "a thing of the past". Security steps taken included a secure remote access system, encryption of all portable devices, blocking of unencrypted or non-council USB devices, file encryption and a secure email portal.
"It was prudent after the Information Commissioner's Office notified us of our weaknesses that we acted immediately to improve the situation," said Steve Sankey, assistant director of business technology. "I am now confident that the right tools have been made available to make sure the information is as secure as it could be while enabling staff to work effectively."