Stoke on Trent City Council has been fined £120,000 for a major breach of the data protection act, when emails containing sensitive information relating to a child protection legal case was sent to the wrong person.
In December last year, a solicitor at the City Council sent 11 emails containing details of the case, as well as other information relating to the health of two adults and two other children. They had been intended for the legal conducting the case.
The person who received the emails by mistake did not respond when asked to delete them.
The Information Commissioner’s Office levied the fine after finding that the Council had not followed its own procedures, which specified that sensitive information should be encrypted or sent over a secure network. However they did not provide facilities or training to do this.
Stephen Eckersley, Head of Enforcement at the ICO, said:
“If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.”
I work for an LA who received a similar fine in recent times. We now have a variety of different email systems in place depending upon the recipient.
The problem with the encrypted email systems is that they can cause real problems for those on Smartphones – so, if the other-side are at court and want something sending over urgently, say something that’s just come in, it can be problematic. The LA lawyer can pick it up on their Smartphone because they’re internal but those for the other parties / or the LA instructed counsel can’t.
That said, I’m all in favour of tighter regs. RE: emails and sensitive data distribution.