Council and firm both fined over data breaches

A council has been fined £100,000 by the data regulator today for accidentally faxing highly sensitive information about cases involving child sex abuse and care proceedings to the wrong recipients on two occasions in the space of two weeks.

The Information Commissioner served the monetary penalty on Hertfordshire County Council for serious breaches of the Data Protection Act.

A separate fine of 60,000 was also imposed on Sheffield-based employment services company A4e over the theft of a laptop containing personal information about 24,000 people who had used community legal advice centres in Hull and Leicester.

Hide Ad
Hide Ad

Hertfordshire County Council reported the breaches in June and said today that it accepted the Commissioner's findings. Processes were now in place to prevent a repeat.

The first misdirected fax, which was meant for barristers' chambers, was sent to a member of the public.

The council subsequently obtained a court injunction prohibiting disclosure of the details.

The second fax, sent 13 days later by a different employee, contained information relating to the care proceedings of three children, the previous convictions of two individuals, domestic violence records and care professionals' opinions.

Hide Ad
Hide Ad

Instead of going to Watford County Court, it was mistakenly sent to a barristers' chambers unconnected with the case.

In the A4e case, which also happened in June, the firm was punished for issuing an unencrypted laptop containing sensitive personal information including names, dates of birth, postcodes, income level and details of alleged criminal activity to an employee working from home in London, which was subsequently stolen.

As well as reporting the incident to the ICO, the company notified the people whose data could have been accessed.

Information Commissioner Christopher Graham said: "It is difficult to imagine information more sensitive than that relating to a child sex abuse case.

Hide Ad
Hide Ad

"I am concerned at this breach – not least because the local authority allowed it to happen twice within two weeks.

"The laptop theft, while less shocking, also warranted nothing less than a monetary penalty as thousands of people's privacy was potentially compromised by the company's failure to take the simple step of encrypting the data."

A4e chief executive Andrew Dutton said: "We fully accept today's judgment and will continue to co-operate with the ICO."