The Information Commissioner’s Office (ICO) today served Surrey County Council with a monetary penalty of £120,000 for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions.
“This significant penalty fully reflects the seriousness of the case. The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”
The first incident and most significant of the three, took place on 17 May last year. A member of staff working for one of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.
My comment: Can we trust any public authority with our data? Whilst the fine may help deter the council from doing it again a cheaper option for the taxpayer would have been to sack the people responsible. However, that's the problem with watchdogs, they have no real teeth other than to punish the taxpayer and that can't be right.
Read the full story by downloading from the ICO.
Read all articles about Surrey County Council on this blog