News release: 10 February 2012
Five councils breached the Data Protection Act by failing to keep people’s personal information secure, Information Commissioner, Christopher Graham, said today.
Information Commissioner, Christopher Graham said:
“At a time when councils are increasingly working with community partners, when data is shared it is vital that they uphold their legal responsibilities under the Data Protection Act. Failures not only put local residents’ privacy at risk, but also mean that councils could be in line for a sizeable monetary penalty.
“We must also consider the detrimental impact these breaches continue to have on the individuals affected. Disclosing details about someone’s social housing status can be upsetting and damaging for those affected. To help tackle this issue I’ve submitted a business case to the government to ask for them to extend my compulsory audit powers.”
The five data breaches at local authorities all relate to incidents where the councils failed to take appropriate steps to ensure that personal information was kept secure.
- Basingstoke and Deane Borough Council breached the Data Protection Act on four separate occasions during a two month period last year. The breaches included an incident in May when an individual was mistakenly sent information relating to 29 people who were living in supported housing. The Council has now signed an undertaking committing them to take action to address the problems highlighted in each incident. This includes introducing appropriate checks to make sure personal information is handled in compliance with the Act.
- Meanwhile, in July 2011, an employee of Brighton and Hove Council emailed the details of another member of staff’s personal data to 2,821 council workers. A third party also informed the ICO of a historic breach which occurred in May 2009 when an unencrypted laptop was stolen from the home of a temporary employee. The Council has now committed to ensuring that the personal information they process is secure, including making sure that all portable devices used to store personal data are encrypted.
- Further undertakings have also been signed by Dacorum Borough Council, Bolton Council and Craven District Council, whilst an enforcement notice has been issued to Staffordshire County Council over its mishandling of a subject access request.
As well as the five local authorities, undertakings for youth charity Fairbridge and healthcare provider Turning Point have also been published today.
View full copies of the undertakings and enforcement notices
The ICO has produced guidance for local authorities explaining their obligations to keep the personal information they handle secure. The guidance includes advice on the security measures that must be in place.
The ICO has also carried out a number of audits with local authorities to help them identify ways in which they can improve their handling of personal information.
The Information Commissioner has written to councils to remind them of the need to comply with their legal obligations under the Data Protection Act.
Notes to Editors
1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
3. The ICO is on Twitter, Facebook and LinkedIn. Read more in the ICO blog and e-newsletter.
4. If you need more information, please contact the ICO press office on 0303 123 9070 or ico.gov.uk/press