Stoke on Trent City Council has been fined £120,000 for a major breach of the data protection act, when emails containing sensitive information relating to a child protection legal case was sent to the wrong person.
In December last year, a solicitor at the City Council sent 11 emails containing details of the case, as well as other information relating to the health of two adults and two other children. They had been intended for the legal conducting the case.
The person who received the emails by mistake did not respond when asked to delete them.
The Information Commissioner’s Office levied the fine after finding that the Council had not followed its own procedures, which specified that sensitive information should be encrypted or sent over a secure network. However they did not provide facilities or training to do this.
Stephen Eckersley, Head of Enforcement at the ICO, said:
“If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.”