Surrey County Council has been fined £120,000 after a series of blunders in which it emailed sensitive, personal information about hundreds of individuals to the wrong people.
The Information Commissioners Office (ICO) fined the council for three separate incidents which led to a ‘serious breach’ of the Data Protection Act.
The first breach occurred on May 17 last year when a member of staff working for one of the council’s adult social care teams emailed details relating to 241 individuals’ physical and mental health to the wrong group email address.
Recipients included a number of transportation companies including taxi firms, coach and mini bus hire services and as the information was not encrypted or password protected could have been viewed by a large number of unauthorised people.
After attempts to recall the e-mail failed, the council were later unable to confirm that all recipients had destroyed it.
A second blunder occurred on June 22 last year when confidential personal data relating to a number of individuals was mistakenly e-mailed to over one hundred unintended recipients who had registered to receive a council newsletter.
The last incident took place on January 21 this year when the council’s Children Services department sent confidential information relating to an individual’s health to the wrong internal group email address.
While the data did not leave the council’s network the breach led to sensitive and private information being circulated to individuals who should not have received it.
Christopher Graham, UK Information Commissioner said: “This significant penalty fully reflects the seriousness of the case.
“The fact that sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough.
“But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late.”
“Any organisation handling sensitive information must have appropriate levels of security in place.
Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
A spokesperson for Surrey County Council said: “These incidents should never have occurred and we have apologised to the people involved.
“Immediate action has been taken to prevent this happening again.
“Measures have already been taken to reduce the risk of sensitive personal data being wrongly addressed and extra training on handling data securely has been given.
“We accept the commissioner’s findings but feel the money we were fined by another public sector organisation would have been better spent making further improvements in Surrey."
For more information visit ico.gov.uk.
If you were one of those affected please contact Lauren May at 020 8722 6346 or e-mail lmay@london.newsquest.co.uk
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here