UK: Repeated failure to protect privacy of records results in an undertaking for Kirklees Metropolitan Council
When I saw that the Information Commissioner’s Office had required Kirklees Metropolitan Council to sign an undertaking following a breach, the name sounded familiar. But it turns out that it was not the stolen computer breach mentioned on DataBreaches.net two weeks ago, but an earlier breach that occurred in July 2010. From the undertaking:
The Information Commissioner (the “Commissioner”) was notified that in July 2010 care workers contracted by the data controller had left client personal data clearly visible in their cars whilst on visits. The data consisted of call summary and time sheets.
The data included information relating to the physical health of 18 vulnerable elderly people. The error was compounded because the data controller was initially informed of a similar incident in January 2010 but failed to take appropriate action resulting in two further similar incidents in July 2010 and March 2011.The Commissioner’s investigation revealed a lack of sufficient checks and controls in the security procedures carried out by a data processor on behalf of the data controller .
Going forward, the council will need to have better controls in place and to follow up on all reports promptly.