E-Mail Error Results in Â£120,000 FineICO: City Council Neglected Its Own Guidance
The UK Information Commissioner's Office has fined the Stoke-on-Trent City Council Â£120,000 after sensitive information about a child protection legal case was e-mailed to the wrong person.
The council is a local government entity that oversees the city of Stoke-on-Trent located in Staffordshire, England. The fine is for a violation of the UK Data Protection Act.
The breach occurred on Dec. 14, 2011, when 11 e-mails were sent by the council to the wrong address, according to an ICO statement. The e-mails contained sensitive information relating to the care of a child and further information about the health of two adults and two other children.
The ICO said the e-mails should have been sent to counsel who were working on the child protection case.
The incorrect recipient of the e-mail hasn't responded when asked by the council to delete the e-mails, according to the ICO.
"If this data had been encrypted then the information would have stayed secure," says Stephen Eckersley, head of enforcement at the ICO.
Based on an investigation by the ICO, the council apparently didn't follow its own guidance, which stated that sensitive data should be sent over a secure network or be encrypted. "However, the council had failed to provide the legal department with encryption software and knew that the team had to send e-mails to unsecure networks," the ICO's statement said. "The council also provided no relevant training."
Eckersley said the council has introduced new measures to improve the security of information sent electronically, as well as the data protection training provided to their staff.
"This should limit the chances of further personal information being lost," he says.