recent work

Two Councils fined total of £140,000 for data breaches

The Information Commissioner’s Office has confirmed that two Councils in the UK, North Somerset and Worcestershire County have both been served monetary fines for breaching the Data Protection Act.

Worcestershire County will have to pay £80,000 for an incident that happened in March 2011; 23 unintended recipients received highly sensitive and personal information relating to a large number of vulnerable people. It was found that appropriate training hadn’t been given to staff members and secure systems had not been put in place to ensure that situations such has this didn’t occur.

North Somerset’s fine is £60,000 – the wrong HNS employee received highly sensitive and confidential information relating to a child’s serious case review. Having been informed of the error, the employee sending the emails then continued to send emails to the wrong recipient a further three times.

In both cases, although policies and procedures were in place, there was no sufficient staff training in data protection. Email security, such as encryption, also needs to be addressed and trained in appropriately.

Information Commissioner, Christopher Graham, said:

“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense. Considering whether email is the appropriate medium, checking and double checking that the right recipients will receive the information – and measures like encryption and data minimisation – should be routine. I hope these penalties send a clear message to those working in the social care sector. The Information Commissioner takes this sloppiness seriously – and so should you.”

Absolute Data is committed to ensuring companies and organisations, regardless of their size, create and follow realistic policies and procedures that are above the law. We can help your organisation create robust and effective data protection policies and procedures: we can spend some time getting to know what data-related activity your business partakes in, and ensure that your policies and procedures reflect this activity. We can also help to train your staff; not only in the importance of data protection, but how they can ensure they are fully adhering to data protection law. DataWise, one of our services, provides clients with a data protection toolkit, which offers a robust and effective solution in reducing the risk of data breaches. With the ICO’s power to fine up to £500,000 for data breaches, it is worth getting in touch with us to discuss how your organisation can ensure legal data compliance. Contact us now at, or call us on 01423 790125.