Council fined £120,000 for sensitive data emails

by Katy Murcutt - Paralegal

14 June 2011, filed under Consumer

A Council here in the UK has been heavily fined £120,000 for accidentally emailing sensitive personal information to the wrong addresses, the ICO (Information Commissioner’s Office) has stated.

The Information Commissioner’s office, which is the United Kingdom’s watchdog for data protection, has discovered that many employees in various departments within Surrey’s County Council, had sent three emails, which had been to the wrong addresses containing highly sensitive, and important information.

The ICO have the power to fine companies, and businesses for loss or damage to personal data they are responsible for, even if it is accidental, under the Data protection Act.

In the middle of May last year, a member of staff from the Adult Social Care Teams Unit, had accidentally sent the email with a file which contained the sensitive information of the mental, and also physical health of 241 adults to a group email address, which had also included 361 coach, taxi and mini bus companies the Information Commissioner’s Office has stated.
The information which had been sent had not been encrypted and even though the recipients had been asked to delete the email, the council were unable to confirm if any of them had done it, the ICO replied.

There had been another incident which had been reported which was similar to this a month after, where confidential personal information was distributed by accident to a long list of people who had only asked to be signed up the regular council newsletter.

And then in January of this year the same Council discovered a third incident of accidental data sent to the wrong address when a Family Support Worker had accidentally sent an email with classified information to the incorrect internal email group.

The ICO have since said that the employees in the Surrey Council seriously lacked the essential training in IT and support and while appropriate action had taken place following the first incident, it failed to prevent a further two occurrences from happening.

Data protection measures which are too relaxed are not acceptable, the ICO have stated.

COmputers are a modern way of life, they provide communication to anywhere in the world via email. If your employees or family use the internet, make sure they read our guide 10 Tips to Using the Internet Safely .