recent work

Leeds City Council fined £95,000 for data breach

Leeds City Council has been fined £95,000 for sending sensitive information about a child in care to the wrong person through internal mail.

It revealed a criminal offence, school attendance and details of the youngster’s relationship with their mother.

When sending internal mail, the council reuses envelopes which have been used for external mail.

In this instance, the external address was not crossed out and the sensitive file was posted to someone who had nothing to do with the case.

The Information Commissioner’s Office (ICO) has criticised local government’s attitude towards protecting personal data, after other councils were also fined for breaching the Data Protection Act.

Information Commissioner Christopher Graham said: “We are fast approaching two million pounds worth of monetary penalties issued to UK councils for breaching the Data Protection Act, with nineteen councils failing to have the most straightforward of procedures in place.

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society.

“The distress that these incidents would have caused to the people involved is obvious. The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.

“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems.”

The ICO is pressing the Ministry of Justice for stronger powers to audit local councils’ data protection compliance – if necessary without consent.

The same powers are sought for NHS bodies across the UK following a series of data protection breaches in the health sector.