The Information Commissioner’s Office (ICO) has come down hard on Surrey County Council, imposing a fine of £120,000 after a major cock-up resulted in sensitive personal information being emailed to the wrong recipients – including transport firms – on three separate occasions.
The first incident and most significant of the three, took place in May last year. A member of staff working for one of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.
The group email address included a large number of transportation companies, including taxi firms, coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted
or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.
A second misdirected email sent in June 2010 led to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.
In a third incident, the council’s Children Services department sent confidential sensitive information, which included data relating to an individual’s health, to the wrong internal group email address on 21 January 2011. While the data did not leave the council’s network this breach led to sensitive data being circulated to individuals who should not have received it. The penalty of £120,000 recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information.
Information Commissioner Christopher Graham said: “This significant penalty fully reflects the seriousness of the case. Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
