ICO fines yet another council for data security breach

The Information Commissioner's Office (ICO) has fined yet another council thousands of pounds for a serious data security breach.

Just two days after the privacy watchdog fined Norfolk and Croydon Councils, a total of £180,000, Cheshire East Council has come under fire for a breach of the Data Protection Act.

The council will have to pay a penalty of £80,000 after an employee used her own personal email account to send sensitive details about an individual working in the voluntary sector in the area.

Because of police concerns about this person, she was asked to contact the local voluntary sector co-ordinator to alert local voluntary workers to the authorities concerns.

However the email, which contained the name and an alleged alias for the individual as well as information about the concerns the police had about him, was not secure. It was then forwarded by the co-ordinator to 100 intended recipients.

The breach was made worse after the email was then sent to a further 189 people, because it did not have any clear markings or advice on how it was to be treated.

Stephen Eckersley, Head of Enforcement, said: "While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed.

"Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.

"I hope this case – along with the fact that we've handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data."