Stoke fined £120K over email privacy blunder

Summary:Stoke-on-Trent City Council has been fined £120,000 after a member of its legal department sent emails containing sensitive information to the wrong address.

Stoke-on-Trent City Council has been fined £120,000 after it accidentally emailed sensitive data about a child protection case to the wrong person.

The 11 emails, sent on 14 December 2011, were intended for a lawyer working on the case but ended up being sent to another email address due to a typing mistake. The female solicitor realised her error when she spoke to the barrister, who told her that he had not received any emails from her on that day.

In addition, the data was not sent over a secure network or encrypted, as required by the council's own guidelines. As a result, the Information Commissioner's Office (ICO) said the council had contravened the Data Protection Act under section 4 (4) and issued it with a fine of £120,000.

"If this data had been encrypted, then sensitive information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a widely used security measure," Stephen Eckersley, the ICO's head of enforcement, said in a statement on Thursday.

The accidentally misdirected emails contained information of varying sensitivity and were sent to an active, but incorrect, address. The address owner failed to respond when asked by the solicitor to delete the messages.

The ICO said some of them contained confidential personal data about non-accidental injuries to a child and additional sensitive information about the health of two adults and two further children. 

The UK's data protection authority also said the solicitor should have sent the emails via the government secure intranet network (GCSx) or encrypted them.

The solicitor was not disciplined by the council because it acknowledged that it was partly to blame for not providing the legal department with encryption software, despite knowing that the team had to send emails to unsecured networks.

Before handing out the £120,000 penalty charge, the ICO took into account that this is not the first time Stoke-on-Trent Council has run into trouble over a data breach. In early 2010, it lost a memory stick containing unencrypted data on a child care case. In response to an ICO review, it agreed at the time to introduce measures to keep data secure, such as new procedures for encrypting portable devices.

"It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved," Eckersley said.

If the ICO receives full payment by 23 November, then the council's fine will be reduced by 20 percent to £96,000.

Topics: Security, Government : UK, United Kingdom

About

Sam is generally at his happiest with a new piece of technology in his hands or nailing down an exclusive story. In the past he's written for The Engineer and the Daily Mail, covering emerging technology in electronics, energy, defence, materials, aerospace, automotive and healthcare. These days, Sam is particularly interested in emerging... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.