The five serious data breaches – all involving children’s social service reports being sent to the wrong recipients – happened at Midlothian Council and occurred between January and June 2011.

  • One breach concerned papers concerned with the status of a foster carer being sent to 7 healthcare professionals who had no need to see them
  • Another case was of the minutes of a child protection conference being sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers also contained personal data about the children’s mother

The first breach occurred in January 2011 but did not come to light until March

Ken Macdonald, Assistant Commissioner for Scotland said:

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.   

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure.”

The ICO’s investigation found that all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure. The council has recovered all of the information mistakenly sent to the wrong recipients and will now check all records to ensure that the details they hold are up-to-date.