ICO Issues Penalties To North Somerset And Worcestershire Councils.

The UK’s Information Commissioner has assessed penalties of £80,000 and £60,000 to Worcestershire County Council and North Somerset Council, respectively.  These fines were assessed for sending emails to the wrong recipients.  Of course, there is nothing that a laptop encryption software solution like AlertBoot could have done to prevent this.  Perhaps email encryption could have made an impact.  Well, at least in one of the cases.


Worcestershire County Council



Worcestershire County Council was fined £80,000 for a March 2011 incident.  An employee emailed sensitive information to 23 people who shouldn’t have been recipients of the electronic missive.  The situation arose because an additional email list (containing the addresses of the 23) was added to the email by accident.


The employee realized the mistake immediately and tried to contain the situation, which was successful and probably only possible because they were also working in similar organizations.


It was not revealed how many people were affected by the breach, only that it involved “a large number of vulnerable people.”  I hope it involved a lot of people because…well, otherwise, this is the reason for the penalty (my emphasis):


Enquiries by the ICO found that Worcestershire County Council had failed to take appropriate measures to guard against the unauthorised processing of personal data, such as providing employees with appropriate training and clearly distinguishing between internal and external email distribution lists. The council had also failed to properly consider an alternative means of handling the information, such as holding it in a secure system that could only be accessed by members of staff who needed to see it.

80,000 quid for not officially separating internal and external email lists?  There are companies who’ve been fined less for more.


North Somerset Council



North Somerset Council was fined £60,000 and, of the two cases, is the more entertaining one.  In November and December 2010, a North Somerset employee sent an email to an NHS employee.  The NHS employee alerted this person of the error.  After this, the NHS employee was further emailed an extra three times.


At this point, the NHS employee must have done something because two North Somerset Assistant Directors talked to their employee about the continued data breaches.  A fifth email was sent to the NHS employee that very same day.


Of the five emails, two of them contained sensitive and confidential information.


The incident occurred because the NHS employee was added to a mailing list by mistake.


Mitigating Circumstances



The Information Commissioner had this to say about the two incidents (my emphasis, ico.gov.uk):


“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils. It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.

Apparently, it wasn’t much of a mitigating factor is the penalties are that big.  It should be noted that the amount is one of the lowest to date, but larger than the one assessed on the one private company that was fined to date.



Related Articles and Sites:
http://www.csoonline.com/article/695362/ico-fines-councils-after-serious-email-data-breaches
http://www.guardian.co.uk/government-computing-network/2011/nov/28/ico-fines-worcestershire-north-somerset-data-breaches?newsfeed=true
http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx
http://www.publicservice.co.uk/feature_story.asp?id=18195



Comments (0)


Let us know what you think