Charity Fined £70,000 over Breach

Worker Left Sensitive Info Outside Home
Charity Fined £70,000 over Breach

The UK Information Commissioner's Office has fined Norwood Ravenswood Ltd., a social care charity located in London, £70,000 after one if its social workers failed to safeguard sensitive reports for four children.

See Also: Online Retailers at Increased Risk

The fine is for a violation of the UK Data Protection Act.

On Dec. 5, 2011, the social worker was attempting to deliver the information to children's prospective adoptive parents, who weren't home at the time. The worker tried to fit the package through the letter-box of the home, but it wouldn't fit, according to the monetary penalty notice. She then called the prospective adopters and informed them that she had left the package in a concealed area at the side of the house. When the prospective adopters returned home, the reports were gone, the ICO said in a statement.

The information hasn't been recovered, the statement noted.

The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. An ICO investigation determined that the social worker never received data protection training and received no guidance on how to send personal data securely to prospective adopters.

Breach Called 'Avoidable'

"We have warned the charity sector that they must have thorough policies and procedures in place to keep the often sensitive information they handle secure," said Stephen Eckersley, head of enforcement at the ICO. "We do not want to be issuing monetary penalties to charities, but in this case the seriousness of the breach left us with little choice."

The children involved in the incident were no more than 6 years old, "and now they are in a situation where their most sensitive details could be in the hands of a complete stranger," Eckersley said. He called the breach "entirely avoidable."

Norwood has taken action to better protect personal information, the ICO said, although it did not specify what those steps were.

The monetary penalty notice is available online.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.