Stoke fined £120K over email privacy blunder

Stoke-on-Trent City Council has been fined £120,000 after a member of its legal department sent emails containing sensitive information to the wrong address.
Written by Sam Shead, Contributor

Stoke-on-Trent City Council has been fined £120,000 after it accidentally emailed sensitive data about a child protection case to the wrong person.

The 11 emails, sent on 14 December 2011, were intended for a lawyer working on the case but ended up being sent to another email address due to a typing mistake. The female solicitor realised her error when she spoke to the barrister, who told her that he had not received any emails from her on that day.

In addition, the data was not sent over a secure network or encrypted, as required by the council's own guidelines. As a result, the Information Commissioner's Office (ICO) said the council had contravened the Data Protection Act under section 4 (4) and issued it with a fine of £120,000.

"If this data had been encrypted, then sensitive information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a widely used security measure," Stephen Eckersley, the ICO's head of enforcement, said in a statement on Thursday.

The accidentally misdirected emails contained information of varying sensitivity and were sent to an active, but incorrect, address. The address owner failed to respond when asked by the solicitor to delete the messages.

The ICO said some of them contained confidential personal data about non-accidental injuries to a child and additional sensitive information about the health of two adults and two further children. 

The UK's data protection authority also said the solicitor should have sent the emails via the government secure intranet network (GCSx) or encrypted them.

The solicitor was not disciplined by the council because it acknowledged that it was partly to blame for not providing the legal department with encryption software, despite knowing that the team had to send emails to unsecured networks.

Before handing out the £120,000 penalty charge, the ICO took into account that this is not the first time Stoke-on-Trent Council has run into trouble over a data breach. In early 2010, it lost a memory stick containing unencrypted data on a child care case. In response to an ICO review, it agreed at the time to introduce measures to keep data secure, such as new procedures for encrypting portable devices.

"It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved," Eckersley said.

If the ICO receives full payment by 23 November, then the council's fine will be reduced by 20 percent to £96,000.

Editorial standards