The United Kingdom’s Information Commissioner’s Office (ICO) has published reports on a couple of councils that have breached the Data Protection Act. The councils in question are the Wirral Borough Council and the Wokingham Borough Council.
According to the ICO, the Wokingham Borough Council lost sensitive social services records relating to the care of a young child. The files, requested by a , were left by the delivery driver outside the requester’s home.
The driver should have been informed that the documents were sensitive and that he should have requested a signature. If no one was there to sign for the package, it should have been returned to the council. Furthermore, the council didn’t contact the requester to arrange a delivery time.
“No one expects to have sensitive information about the care of their child left on the doorstep for anyone to stumble across. However, a series of errors by the council has led to a situation where a social service record containing damaging allegations of abuse suffered by the child, has been delivered with no consideration given to its content,” noted ICO Head of Enforcement, Stephen Eckersley.
“This is not good enough and Wokingham Borough Council has now agreed to take action to make sure future deliveries containing sensitive are carried out securely. They must also make sure their staff receive regular training so they can follow the council’s updated processes.”
In the case of the Wirral Borough Council, it had breached the Data Protection Act after sending sensitive social services records to wrong addresses on two different occasions. The council has agreed to improve its practices.
“While human error was a factor in each of these cases, the council should have done more to keep the information secure. Social workers routinely handle sensitive information and Wirral Borough Council failed to ensure their staff received adequate training on how to keep people’s information secure,” Eckersley said.
“We are pleased that the council has now made its data protection training mandatory for all staff following these incidents and has agreed to take further action to address the underlying problems that led to these mistakes,” he added.
“This includes ensuring that all staff complete the data protection training by the end of June and adequate checks are in place to make sure sensitive records are being sent to the right address.”
These two incidents show that government organizations should really focus more on internal security practices.