Data leaks cost Midlothian a record £140k fine

The Scottish council has been handed the largest fine yet by the Information Commissioner's Office, for five incidents of sending child care records to the worng recipients

Midlothian Council has been handed the largest fine yet for five data protection breaches, including one where a failure to keep its database updated meant sensitive documents were sent to the wrong people.

The council was fined a record £140,000 for mishandling sensitive child protection and care data on five occasions in 2011, the Information Commissioner's Office (ICO) said on Monday.

In one incident, a Midlothian Council employee sent details of a child protection conference to an out-of-date address held for the child's mother's partner, according to ICO enforcement documents, as a result of the council not keeping the database current. The conference minutes were read by the partner's former partner, who may have discussed the information within the local community, according to the ICO.

"Checking and double checking that information is being sent to the right recipient is a simple measure and one that could prevent many of the data breaches cases that come to the ICO," a spokeswoman for the privacy authority told ZDNet UK.

Midlothian Council discovered the five data breaches in June, plus three further instances now under investigation by the ICO.

"As soon as the council discovered the problem, it investigated and found eight letters or documents had been sent to the wrong recipients, for which the council is sincerely sorry," chief social work officer Colin Anderson said in a statement.

"The council immediately took steps to retrieve the information, or have it destroyed, and voluntarily reported ourselves to the Information Commissioner. I must emphasise that there is no evidence that anyone was put at risk," he added.

None of the incidents involved social workers, but were due to administrative support staff not following established policies and procedures, according to Anderson.

"You can have as many policies and procedures in place [as you like] — in that respect, we were satisfied various policies and processes were in place — but at the end of the day, it was staff not updating a database, or putting documents in the wrong envelope," he told ZDNet UK.


Reduced fine

During the arbitration process, the council appealed the fine, which was reduced from £150,000 to £140,000. "We self-referenced to the ICO, did a thorough investigation, and disciplined staff," Anderson said. "We did consider the fine inappropriate."


Anderson was not aware of any council plans to appeal the current level of the fine. "My recommendation would be that we accept and move on," he said. "There is an absolute determination to make sure we've got it right."

The previous largest fine, £130,000, was handed down by the ICO to Powys County Council for mishandling children's data.

Businesses that deal with personal data need to make sure records are kept up-to-date, and that all staff are trained to follow business processes, according to security analyst Andy Buss.

"If you look at companies that deal with sensitive data, the quality of customer records is one of the biggest issues they face," Buss said. "If you don't have up-to-date records of who information should go to, that can be as big a breach as leaving a data-stick on a train."