Council Fined Â£90,000 over BreachesIncidents Involved Info on Children
The UK Information Commissioner's Office has fined the Telford and Wrekin Council Â£90,000 over two breaches that compromised information on children.
See Also: The Global State of Online Digital Trust
The Telford and Wrekin Council is a public services organization that oversees Telford and Wrekin, a district in the West Midlands region of England.
The council issued a statement saying the fine will be reduced to Â£72,000, "as we intend to pay it promptly."
"While we accept that the breaches occurred, we do not agree with the rationale behind the financial penalty that has been imposed," the statement reads. "We believe the fine imposed goes against the ICO's own guidance, which states an organization should not be fined when it has taken reasonable steps to prevent a breach - which we believe we have."
In the first breach, a staff member for Safeguarding Services sent a social care core assessment of one child to the child's sibling instead of their mother, who lived at the same address, according to a news release issued by the ICO. Information in the assessment included sensitive details on the child's behavior.
In the second incident, the names and addresses of foster care placements for two young children were included in the children's placement information record, which is a document signed by the parents of children who are due to be placed in foster care, according to a PDF of the penalty notice.
When a social worker took a printout of the record to the mother of the children to sign, she noticed the address of the foster care placements.
"The data controller then decided to move the children to alternative foster care placements to minimize the effect of the data subjects concerned," the notice reads.
Investigation into Breaches
The ICO investigated the first incident and determined that the information system that set up the relationship records for the children was not populated with adequate information. "The system was set up so that the details of individuals were printed automatically on the assessment, although a user could [check a box] to ensure that the details weren't printed," the news release explained.
In an investigation of the second incident, the ICO found that the default setting on the system was to include the foster care placements' details in the placement information record. "There was no process in place to check the [record] after it was printed," the release said.
"The decision by the ICO to issue a penalty in this case reflects its seriousness - these were two very similar data breaches which occurred within a short space of time, and both involved highly confidential and sensitive personal data," says David Smith, the ICO's deputy commissioner and director of data protection.