Data Protection: Monetary Penalty for Working from Home Error

August 29, 2013

The ICO has served Aberdeen City Council with a monetary penalty of £100,000 after a serious data breach resulted in sensitive information relating to social services involvement with several individuals being published online. The information included details relating to the care of vulnerable children.

The information was released after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences.

The files were uploaded between 8 and 14 November 2011 and remained available online until 15 February 2012 when another member of staff spotted the documents after carrying out an online search linked to their own name and job title. The council was informed and the original documents were removed, before the incident was reported to the ICO.

The ICO’s investigation found that the council had no relevant home working policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive information from the council’s network.

Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said:

‘As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure. In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months. We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch.’

The council is currently in the processes of agreeing an undertaking with the ICO, which commits the organisation to improving its compliance with the Data Protection Act.