We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

ICO fines councils after serious email data breaches

For once, USB sticks not involved

The Information Commissioner has given the public sector a harsh warning about the risks of email after two English councils were handed heavy fines for data breach incidents in which highly sensitive personal data was accidentally emailed to the wrong recipients.

The ICO fined Worcestershire County Council £80,000 for an incident in March 2011 in which a member of staff inadvertently emailed data on a large number of vulnerable individuals to 23 people on the wrong contact list.

Separately, North Somerset Council will be asked to pay a £60,000 fine for an incident late in 2010 in which a member of staff sent five emails regarding a child's serious case review to the wrong NHS employee, a breach of the Data Protection Act.

For once, the latest cases do not involve the usual data loss culprit, USB sticks. The roots of both cases seem to be a mixture of personal mistakes and the limitations of email systems when used to distribute data to groups of professionals, neither of which the Councils involved seem to have anticipated going awry.

In the Worcestershire case, the ICO said that the Council had not taken steps to train staff on the use of mailing lists and should have considered alternative ways of distributing data given the risk of mistakes.

Mitigating the incident, the member of staff that sent the email in question had realised the mistake immediately and made attempts to contact the unintended recipients, all of whom worked for registered organisations.

The North Somerset was potentially more serious despite being on a far smaller scale. The member of staff was informed of the mistake after sending the first email to the wrong person but sent a further three messages in the same manner. Despite two of the Council's assistant directors then highlighting the issue with the employee, a fifth email incident occurred.

"It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils," said Information Commissioner, Christopher Graham.

"It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties."

Last week, privacy and anti-surveillance organisation Big Brother Watch released a report which drew back a veil on the stunning scale of data loss by public sector organisations.

The organisation said it had details of 1,035 potential data loss incidents by local authorities in the three years to July 2011 - uncovered using Freedom of Information requests - of which only 55 had been reported to the ICO.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite