recent work

Summary of data protection and privacy happenings over the summer period; publishing personal details online, leaking information and wrong fax numbers. Lessons learnt…?

1. Council employee publishes vulnerable children’s welfare details online
The Information Commissioner’s Office (ICO) has served Aberdeen City Council with a monetary penalty of £100,000 after a serious data breach resulted in sensitive information relating to social services involvement with several individuals being published online.

The information was released after a council employee accessed documents, including detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families.

The ICO’s investigation found that the council had no relevant home working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network.

2. Council publishes over 2,000 residents’ personal details online
The Information Commissioner’s Office (ICO) has served Islington Council with a monetary penalty of £70,000 after personal details of over 2,000 residents were released online.

The information was inadvertently released in response to a freedom of information request, and revealed sensitive personal information relating to residents’ housing needs.

The breach occurred due to a lack of understanding of pivot tables. These are used in Microsoft Excel and other spreadsheet programs to neatly summarise large amounts of data. But the tables retain a copy of the source data used. This information is hidden from view, but is easily accessible.

3. Probation officer prosecuted for leaking victim’s details to alleged culprit
A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been successfully prosecuted by the Information Commissioner’s Office (ICO).

Victoria Idowu claimed that she provided the victim’s full name, new address and date of birth, along with the details of the investigating officer, as she believed that the individual already knew this information and she was keen to avoid a case of mistaken identity.

Ms Idowu, who had worked at the trust since October 2005, has already been the subject of disciplinary proceedings by London Probation Trust, which resulted in her employment being terminated due to gross misconduct.

Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998.

4. Bank of Scotland penalised after four year fax blunder
The Information Commissioner’s Office (ICO) has served the Bank of Scotland with a monetary penalty of £75,000 after customers’ account details were repeatedly faxed to the wrong recipients.

The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. The documents were faxed over a four year period, with the first incident reported to the bank in February 2009 by a third party organisation.

Tags: , , ,