UK: Telford and Wrekin Council fined £90,000 following disclosure of vulnerable children’s data
From the ICO, another large penalty:
Telford and Wrekin Council has been issued with a penalty of £90,000 by the Information Commissioner’s Office (ICO), following a breach of the Data Protection Act (DPA) involving the disclosure of confidential and sensitive personal data relating to four vulnerable children.
The fine was issued following two similar data breaches, which occurred within two months of each other.
The first occurred on 31 March 2011, when a member of staff working in Safeguarding Services sent the Social Care Core Assessment of one child to the child’s sibling instead of their mother, who lived at the same address. The assessment included sensitive details of the child’s behaviour. It also included the name and address, date of birth and ethnicity of a further young child who had made a serious allegation against one of the other children.
The second breach concerned the inclusion of the names and addresses of the foster care placements of two young children in their Placement Information Record (PIR). The PIR was printed out and shown to the children’s mother, who noticed the foster carers’ address. The Council then decided to move the children to alternative foster care placements to minimise the effect on the data subjects concerned.
An investigation carried out by the Council following the first breach found that the relationship records set up on the children’s information system, Protocol, for the children involved in the first incident, were not populated with adequate information. The Protocol system was set up so that the details of individuals were printed automatically on the assessment, although a user could tick a box to ensure that the details weren’t printed. There was also no process in place to check the documents before they were posted out.
Its subsequent investigation, following the second breach, found that the default setting on the Protocol system was to include the foster carer’s details in the PIR, and there was no process in place to check the PIR after it was printed.
The ICO’s Deputy Commissioner and Director of Data Protection David Smith said:
“The decision by the ICO to issue a penalty in this case reflects its seriousness – these were two very similar data breaches which occurred within a short space of time, and both involved highly confidential and sensitive personal data.
“Most importantly, some of the people affected were vulnerable children, two of whom had to be moved to a new foster home as a result of the second data breach. It is the responsibility of all organisations – especially where children or other vulnerable people are involved – to keep sensitive personal data secure.”
The Council has now committed to taking action including providing Safeguarding Services staff with further training and support on data protection and information security as well as on using the Protocol system. They are also introducing formal guidance on checking documents printed off the Protocol system, and making changes to its configuration.