01.09.17
County fined £70,000 over ‘inexcusable’ personal data breach
Nottinghamshire County Council has been fined £70,000 by the Information Commissioner’s Office (ICO) following a serious data protection breach that left vulnerable people’s personal information online for five years.
Despite the Data Protection Act requiring organisations to keep personal data secure, the local authority posted the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory which didn’t have basic security or access restrictions.
The matter was only discovered after a member of the public using a search engine was able to access and view the data without the need to log in. The information also revealed whether or not the vulnerable people were still in hospital.
Steve Eckersley, ICO head of enforcement, said this was a serious and prolonged breach of the law.
“For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available,” he added.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
The council had launched its ‘Home Care Allocation System’ (HCAS), an online portal allowing social care providers to confirm that they had capacity to support a particular service user, in July 2011. When the breach was reported in June 2016, the HCAS contained a directory of 81 service users. It is understood the data of 3,000 people had been posted in the five years the system was online.
Although the names of the service users were not included, the ICO noted that a determined person would be able to identify them. The regulator added that the county council offered no mitigation.
Responding to the fine, Caroline Baria, adult social care service director at Nottinghamshire County Council, said the local authority takes its responsibility for data security extremely seriously “so we are very sorry that this error occurred and wholeheartedly accept the Information Commissioner’s findings”.
“As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the commissioner,” she said. “At the time, the directory included partial addresses and a brief outline of the care needs of 81 people who have required home care services, but the information did not contain any names or house numbers.
“A full review of procedures has been carried out and we are now using a different system for home care providers outside of the internet.”
Nottinghamshire is the latest authority to have been reprimanded by the ICO, with Basildon Borough Council recently being hit with a £150,000 fine after publishing personal information online and Gloucester City Council being hit with a £100,000 penalty aster a cyber-attack exposed information about its employees to hackers.
Have you got a story to tell? Would you like to become a PSE columnist? If so, click here.