Leeds Council fined £95,000 for leaking information on re-used envelope

A COUNCIL in Yorkshire has been fined £95,000 after sensitive personal details about a child in care were mistakenly sent out.

The information posted by an official at Leeds City Council to someone who had nothing to do with the case revealed details of a criminal offence, school attendance, the level of contact agreed with siblings and information about the child’s relationship with their mother.

The error occurred when the council was following a policy of reusing envelopes.

Hide Ad
Hide Ad

When sending internal mail, the council re-used envelopes that had been used for external mail. But in this case the external address was not crossed out, and the sensitive file was received by the wrong person.

A report by the Information Commissioner’s Office said the information had been sent out by a support assistant working in the council’s children’s services department.

The report said it was standard practice at the time to send internal mail in used envelopes because it was cost-efficient and environmentally-friendly.

It added that the council had failed to take appropriate organisational measures against unauthorised processing of personal data, such as using different envelopes for internal and external mail that were clearly distinguishable and having a peer checking process for envelopes containing sensitive personal data.

Hide Ad
Hide Ad

Leeds City Council chief executive Tom Riordan said: “We take our data protection responsibilities seriously and regard any breach as unacceptable.

“We accept the findings of the Information Commissioner and although we have already apologised to the individual affected we would like to take this opportunity to do so again.

“The incident happened over a year ago and we acted swiftly at the time to recover the data and put robust new systems in place to minimise the risk of this happening again.

“We handle vast amounts of highly-sensitive data on a daily basis, and have introduced a comprehensive information governance training programme for all of our 15,000 staff.

Hide Ad
Hide Ad

“We would welcome opportunities to be part of any broader national review to strengthen practice.”

Leeds was one of four councils fined by the Information Commissioner. Plymouth City Council and Devon County Council were fined after separate incidents saw details of child care cases sent to the wrong recipients, while the London Borough of Lewisham was issued with a penalty of £70,000 after social work papers were left on a train.

Information Commissioner Christopher Graham said: “We are fast approaching £2m of monetary penalties issued to UK councils for breaching the Data Protection Act, with 19 councils failing to have the most straightforward of procedures in place

“It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence. Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people.

Hide Ad
Hide Ad

“The distress that these incidents would have caused to the people involved is obvious.

“The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.

“There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector.”