Leeds City Council has been fined £95,000 by the UK’s data protection watchdog after it sent highly confidential and sensitive personal data about a child in care to the wrong person.
A report from the Information Commissioner’s Office said the mistake happened when a support assistant in the council’s Children’s Services department re-used an old envelope to send a file internally – the practice at the time.
The old address was never crossed out, however, and the envelope ended up being sent out with the external mail.
The file contained details of a criminal offence by the child in care, his level of truancy and details of his relationship with his mother.
We reported back in August that the data protection watchdog was investigating three serious breaches of information security at Leeds City Council. This was presumably one of the three. No word has reached us of the other two.
Remedial action taken
The report accused the council of having no specific policies in place on security measures to be applied when sending sensitive personal data. It noted, however, that remedial action has now been taken.
“The Commissioner understands that although the data controller (Leeds City Council) had overarching policies relating to data protection and information security (among others) which were available to staff on the intranet together with limited training, there were no specific policies or training on security measures to be applied when sending sensitive personal data to internal or external third parties,” the report said.
The remedial action includes having different envelopes for internal mail and using new envelopes for external mail.
External mail now has to be marked up with a budget code to distinguish it from the internal mail and envelopes containing sensitive personal data are also “peer-checked before delivering such mail by hand”, the report said.
Finally, as we reported in August, the council has introduced a comprehensive training programme on “information governance” for all staff.
“Underlying problem” in local government
Leeds was one of four councils fined a total of £300,000 by the Information Commissioner’s Office (ICO) for recent serious breaches of the Data Protection Act.
The ICO is going to meet representatives from councils to address what it has called an “underlying problem” with their approach to data protection.
“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems,” Information Commissioner Christopher Graham said.