More Monetary Penalties for Councils: Updated

February 13, 2012

On 13 February, the Information Commissioner’s Office announced that it had served monetary penalties totalling £180,000 on two councils for failing to keep highly sensitive information about the welfare of children secure.

Croydon Council has been handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. Norfolk County Council has been served with an £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.

Stephen Eckersley, Head of Enforcement said:

‘We appreciate that people working in roles where they handle sensitive information will – like all of us – sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.

One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.’

The Croydon Council breach – which happened in April 2011 – occurred when an unlocked bag belonging to a social worker was stolen from a London pub. The worker was taking papers, including information about the sexual abuse of a child and six other people connected to a court hearing, home for use at a meeting the following day. The bag and its contents have never been recovered.

The ICO’s investigation found that while Croydon Council did have data protection guidance available at the time of the theft, it was not actively communicated to staff and the council had failed to monitor whether it had been read and understood. The council’s policy on data security was also inadequate and did not stipulate how sensitive information should be kept secure when taken outside of the office.

The Norfolk County Council breach – which also occurred in April 2011 – happened when a social worker inadvertently wrote the wrong address on a report and hand delivered it to the intended recipient’s next-door neighbour. The report contained confidential and highly sensitive personal data about a child’s emotional and physical wellbeing, together with other personal information.

The ICO’s investigation found that the social worker had not completed mandatory data protection training and that the council did not have a system in place for checking whether training had been completed. The council also did not have a peer-checking process to ensure that sensitive information was being sent to the correct recipient.

Both councils have taken remedial action as a result of the breaches and will now ensure that effective data protection measures are put in place. 

 View copies of these two monetary penalty notices


On 15 February, the ICO announced that Cheshire East Council has been ordered to pay a monetary penalty of £80,000 for failing to take appropriate measures to ensure the security and appropriateness of disclosure when e-mailing personal information.

The serious breach occurred in May 2011 when a council employee was asked to contact the local voluntary sector co-ordinator to alert local voluntary workers to a police force’s concerns about an individual who was working in the area. Instead of sending an e-mail via the council’s secure system, the employee sent an e-mail to the local voluntary sector co-ordinator via her personal e-mail account. The employee said she did this because the co-ordinator did not have an appropriate e-mail account and that using the secure e-mail system would have prevented the information from being further disseminated. 

The e-mail, which contained the name and an alleged alias for the individual as well as information about the concerns the police had about him, was then forwarded by the co-ordinator to 100 intended recipients. Because the e-mail did not have any clear markings or advice on how it was to be treated, the recipients interpreted the wording of the message to mean that they too should forward the e-mail to other voluntary workers. The e-mail was therefore sent to 180 unintended recipients.

Stephen Eckersley, Head of Enforcement, said:

‘While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed. Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients. I hope this case – along with the fact that we’ve handed out over one million pounds worth of penalties since our powers came into force – acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data.’

Following the breach, the council attempted to recall the e-mail to prevent further dissemination. Over half (57%) of the recipients confirmed that they had deleted the information.

View a copy of the Cheshire monetary penalty notice (pdf)