Plymouth city council fined £60,000 for handing over personal data to wrong person
PLYMOUTH City Council has been fined £60,000 for sending a child neglect report containing "highly sensitive personal data" to the wrong person.
The Information Commissioner's Office (ICO), an independent body that promotes openness of official information and protection of private information, yesterday fined the local authority thousands of pounds for a "serious breach" of the Data Protection Act.
Details of a child neglect case including confidential information about two parents and four children, notably allegations of child neglect resulting in ongoing care proceedings, were sent to the wrong recipient, the ICO report said.
The incident occurred last November and involved two social workers who both worked in the Children's Services department.
Business Cards From Only £10.95 Delivered www.myprint-247.co.ukView details
Contact: 01858 468192
Valid until: Wednesday, May 22 2013
One of the social workers had been having difficulties trying to print a report on his floor so had attempted to use the printer on the first floor that is normally used by another social worker.
The printer on the first floor did not print the report immediately and although the social worker did not wait for the report to print, it was stored on the system.
Another social worker later used the printer and when they went to collect their printout also collected three photocopied pages of the other social worker's report unknowingly, the report said.
Both reports then ended up in the hands of a woman, including the three photocopied pages belonging to two parents and their four children which included allegations of child neglect, the report said.
The report also states that the woman who was handed both reports then telephoned the data controller to report their mistake.
But the woman also contacted the other family via a private message on a social networking site to inform them that she had received information about them.
An investigation by the ICO found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before they were sent out.
Stephen Eckersley, head of enforcement at the ICO, said: "It would be too easy to consider this a simple human error. The reality is that this incident happened because not enough care was being taken within the organisation when handling vulnerable people's sensitive information.
"The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that."
Plymouth City Council said steps have now been taken to ensure a breach of this nature does not happen again.
A spokeswoman said: "The breach occurred a year ago because three pages of information were collected from a printer in error together with another document. It was given to a client in an envelope by a social worker. It was later reported by the client and immediate action was taken to manage the situation.
"In line with guidance, the incident was reported to the Information Commissioner's Office. The three pages were quickly recovered and destroyed, both clients were spoken with about the incident and our sincerest apologies were offered.
"Practical steps to prevent a similar situation happening again were taken including secure pin printing so that reports are only printed when staff activate the printer with their code, which reduces the risk of papers being mixed up.
"Extra checks before sensitive documents are dispatched from the office are also being devised. Children's Social Care have reinforced to all managers and staff that all employees have personal responsibility for the confidentiality of client information and the security of documents."
The council will only pay £48,000 in actual terms because of early payment of the fine.
Comment – Page 11