In a clear sign that it frowns on all data breaches, not just electronic ones, the UK’s Information Commissioner’s Office (ICO) has handed out its largest penalty to date to the Midlothian Council in Scotland. It’s the first ever ICO fine for any Scottish local government, and it underscores that, while laptop encryption software like AlertBoot goes a long way towards placating any concerns, it’s not the only thing UK data controllers should be focusing on.
Five Breaches in Four Months
While it’s true that the Midlothian Council has received the largest penalty to date (£140,000. The next largest one is £130,000 handed to the Powys County Council in December 2011. I keep a list of ICO monetary penalties), one could also argue that it’s not a fine, but a total fine for 5 data breaches:
The wrong child’s name was entered into an agreement
A GP was sent a request for a child’s report. The child wasn’t registered with the GP
A file was unintentionally included with other documents and sent to unintended recipients
Minutes of a child’s protection conference were sent to an old address
A letter on the foster care status of a child was sent to the wrong people
The above occurred in a period of 4 months. It could be argued that each breach cost the council £28,000, putting it at the bottom of the pile.
Incidentally, the £140,000 was the reduced figure from £150,000 after the council appealed the fine.
Human Error? They Usually Are
Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches.
Colin Anderson, chief social work officer, said: “While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed.”
That the breach was a result of human error is a moot point: that’s usually the case when it comes to the ICO handing monetary penalties. With respect to the UK data breaches I’ve covered on this site, especially those that have involved a penalty from the ICO, almost all of them involved human error. That is, I can’t really recall a breach where someone caused the breach on purpose.
That “clear procedures were in place but not followed” appears to exacerbate the situation, in my opinion. In fact, if the procedures were so clear but ignored, couldn’t one argue that this was not a case of human error?
Related Articles and Sites: