ICO fines Midlothian Council £140K for data breaches

The Information Commissioner’s Office (ICO) has imposed its highest penalty yet of £140,000 on Midlothian Council for breaching personal data

The Information Commissioner’s Office (ICO) has imposed its highest monetary penalty yet of £140,000 on Midlothian Council for breaching personal data.

Until now, the biggest penalty issued by the ICO was £130,000 to Powys County Council, for sending details of a child protection case to the wrong recipient.

Midlothian Council, which is the first Scottish organisation to receive a monetary penalty from the ICO, sent sensitive personal data about children and their carers to the wrong people on five separate occasions, between January and June 2011.

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months,” said Ken Macdonald, assistant commissioner for Scotland.

“I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure,” he said.

The ICO’s investigation found all five breaches could have been avoided if the council had put adequate data protection policies, training and checks in place.

The ICO has ordered the council to take action to keep the personal information they handle secure.

Midlothian Council has recovered all of the information mistakenly sent to the wrong recipients. It will now check all records to ensure that the details it holds are up to date.

Midlothian Council will also update its existing data protection policy to include provisions for social services staff handling personal data. Any outgoing letters containing sensitive or confidential data will be checked by another member of staff before being sent. The council will improve its data protection training scheme. 

The ICO is asking the government for stronger powers to audit local councils’ data protection compliance, if necessary without consent. The same powers are sought for NHS bodies across the UK, following a series of data protection breaches.

Earlier this month, the ICO notified the Brighton and Sussex University Hospitals Trust that it was considering a £375,000 penalty after patient records were stolen from Brighton General Hospital and sold on eBay.

But the Brighton and Sussex University Hospitals Trust is appealing against the penalty, because it claims the disks containing the patient data were sold by a contractor employed to destroy them.

The ICO can issue notices indicating what punishment it considers appropriate for any breach, but can change or withdraw the proposed penalty after considering representations by the organisation involved.

Read more on IT governance