Data protection failures in Stoke-on-Trent

Infosecurity Magazine reports on a finding by the Office of the Information Commissioner of a breach of the Data Protection Act 1998 by Stoke-on-Trent Council.

http://www.infosecurity-magazine.com/view/29025/stokeontrent-gets-120k-fine-for-second-data-encryption-offense/

A solicitor employed by the Council mistakenly sent eleven emails concerning a child protection court case to the wrong email address instead of sending them to the council’s barrister. These emails contained confidential and sensitive personal data about the case, including details of non-accidental injuries to a child and medical information about two adults and two other children.

The main failing, it is reported, was that the emails were not encrypted, so that whoever received them was able to read the plain text. Despite the Council having guidelines stating that this type of communication must be encrypted, apparently no encryption facilities were available to the solicitor. As a result she was not disciplined.

The Council was fined £120,000.

Children and their families have a right to expect that highly sensitive personal data will be handled with the utmost care.  The Council needs to put in hand urgent changes to improve information security.