The Information Commissioner's Office has rapped three councils over the knuckles for being sloppy with the personal details of thousands of children
The London Borough of Barnet, West Sussex County Council and Buckinghamshire County Council were criticised by the information watchdog for showing a "poor regard" for protecting sensitive information. The ICO has the power to fine an organisation up to £500,000 for a breach of the data protection Act. It never has. And it looks like it never will.
The ICO said a "systemic lack of staff training" on how to handle personal information has led to the loss of sensitive personal information relating to thousands of children.
Sally-Anne Poole, Enforcement Group Manager at the ICO, said: “These three councils have shown a poor regard for the importance of protecting children’s personal information. It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”
An unencrypted, non-password protected USB stick and CDs containing the sensitive personal information of over 9,000 children and members of their families which were stolen from the home of an employee of the London Borough of Barnet was reported by the council. For some undisclosed reason, the employee had downloaded the data onto the devices without any authorisation to do so.
West Sussex County Council had a laptop stolen, also from the home of an employee, which contained sensitive personal data relating to an unknown number of children and families involved in childcare proceedings. The laptop was unencrypted and it was also discovered that over 2,300 similarly unencrypted laptops were likely to be still in use across the council’s various services, although steps are now being taken to encrypt these.
Buckinghamshire County Council provided a report regarding the loss, at Heathrow Airport, of documents containing sensitive personal data relating to two children. The documents were in a plastic wallet belonging to a council social work employee who was travelling to another UK city in connection with the children’s social care case.
The ICO found all three councils in breach of the DPA and were made to sign "formal undertakings" to ensure staff will be made fully aware of the policies of their council for the storage and use of personal data.
Poole added: “I am particularly concerned where a public authority has previously been warned about the lack of staff training in data security. Breaches involving such large numbers of children and family members could easily have been avoided. I am pleased that all of the councils have now taken or proposed action to prevent against further data breaches.”