The Information Commissioner’s Office (ICO), the U.K.’s data protection and privacy watchdog, recently announced that it has fined the Powys County Council more than $200,000 for violating the country’s Data Protection Act. This is the largest monetary penalty ever issued by the ICO.
The Powys County Council was punished for its role in two separate data security failures involving child protection cases, the ICO noted. The first incident occurred in June 2010, when a social worker sent information about a “vulnerable child” to a recipient who was able to identify the child.
The ICO claims that it warned the council to enact stricter security measures as well as mandatory training for employees following the incident. Furthermore, it told the council that more severe action would be taken if a similar incident occurred again.
Such an incident did occur in February this year, when a protection case report was delivered to the wrong recipient, who was able to identify the parent and child from the personal details included in the report. The recipient then filed a complaint with the council.
“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations,” said assistant commissioner for Wales Anne Jones in a statement.
Jones noted that there seems to be a growing problem with the country’s social services department, which has been involved in three similar incidents in recent weeks.
“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the U.K.’s local government sector to discuss how we can support them in addressing these problems,” she added.
According to the BBC, Powys council leader Michael Jones apologized for the incident, calling it a “regrettable case of human error.” He told the BBC that the council has taken disciplinary action against the person responsible for the breach.
The ICO, for its part, has made several moves to improve data security practices throughout the country. For example, the organization has worked to raise awareness about the importance of data breach notifications and even pushed for data protection practices to be taught to school children. However, in an October report, the ICO stated that while data security awareness is improving, the persistence of data breaches and other incidents indicates that practices are not yet where they need to be.
Security News from SimplySecurity.com by Trend Micro