ICO fines Powys £130,000 for child data breach

Powys County Council has been fined £130,000 for mistakenly sending out details of a child protection case to the wrong recipient — the largest fine yet handed out by UK data protection authorities.

The data breach occurred in February after two reports were sent to the same shared printer in the county council offices. Two pages of one of the reports were mistakenly combined with another, and posted to the recipient, the Information Commissioner's Office (ICO) said in a statement on Tuesday.

"The ICO has also issued a legal notice ordering the council to take action to improve its data handling," the ICO said. "Failure to do so will result in legal action being taken through the courts."

ZDNet UK understands that the papers were mixed through human error. The two different cases concerned people who lived close to each other. The recipient recognised not only that two of the papers did not refer to her children, but recognised who the other child was, through living in close proximity.

Powys County Council said it was improving staff training following the breach.

"This was a regrettable case of human error and we have apologised to all parties for the distress the disclosure may have caused," councillor Michael Jones said in a statement. "The council expects staff, particularly those working in sensitive areas, to maintain the highest possible professional standards. Disciplinary action has been taken against the member of staff involved in the regrettable breach."