Council fined £120,000 for data protection breach

Complying with data protection regulations remains a problem for many companies and organisations.

In a recent case, Stoke-on-Trent Council was fined £120,000 after one of its employees emailed sensitive information about a child protection case to the wrong person.

An investigation by the Information Commissioner’s Office (ICO) found that the employee breached the council’s guidance policy which stated that sensitive information should be encrypted or sent over a secure network.

However, in this case, the council had failed to provide encryption software and knew that emails were being sent to unsecure networks. The council had also failed to provide relevant training.

Stephen Eckersley, Head of Enforcement at the ICO, said: “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

The ICO says that anyone who processes personal information must comply with eight principles of the Data Protection Act. It’s essential to ensure that personal information is:

• Fairly and lawfully processed
• Processed for limited purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than is necessary
• Processed in line with people’s rights
• Secure
• Not transferred to other countries without adequate protection

Please contact us if you would like more information about the issues raised in this article or any matter relating to business regulations.