Today the Information Commissioners Office has notified two councils of monetary fines for breaching the Data Protection Act.

  1. Croydon Council has been handed a penalty of £100,000
  2. Norfolk County Council has been served with an £80,000

Croydon Council

The Croydon Council breach was the result of an unlocked bag belonging to a social worker being stolen from a London pub. The worker was taking papers, including information about the sexual abuse of a child and six other people connected to a court hearing, home for use at a meeting the following day. The bag and its contents have never been recovered.

The ICO’s investigation found that while Croydon Council did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood. The council’s policy on data security was also inadequate and did not stipulate how sensitive information should be kept secure when taken outside of the office.

Norfolk County Council

The Norfolk County Council breach was the result of another social worker sending a report to the wrong address. The report contained confidential and highly sensitive personal data about a child.

The ICO’s investigation found that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed.

Stephen Eckersley, Head of Enforcement said:

“We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”