A report containing confidential and highly sensitive personal data on an alleged child neglect case concerning a family (Family A) was accidentally included with information sent by a social worker to an individual (B). This was due to the social worker collecting the wrong printing from an office printer. B read the report and telephoned the Council to report the mistake. The Council recovered the report from B within two hours and advised B that the information was confidential. However, B subsequently contacted Family A via a social networking site to inform them that she had received the information. This incident was voluntarily reported by the Council to the ICO.
The Commissioner held that there had been a serious breach of the data protection principle that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".
The Council should have had a more secure system for printing reports containing sensitive personal data and ensuring that reports are peer checked to make sure they are not disclosed to unauthorised third parties. Family A would suffer substantial distress knowing that their confidential and sensitive personal data had been disclosed to a third party and that their data may be disseminated further. The Council was therefore fined £60,000. The ICO's full decision can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
