The Information Commissioner’s Office (ICO) has completed their investigation into a case where a Leicestershire County Council employee lost confidential data belonging to 18 children. Strict data protection laws had been broken and this case could have been prevented if the regulatory laws had been adhered too. The ICO have been critical of Leicestershire County Council but there have been no indication that they impose a fine.
The main role of the ICO is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals in the UK. The ICO can impose a fine of up to £500,000.00 for any serious breach of the Data Protection Act.
Leicestershire County Council initially got into trouble when a social worker took home some confidential court documents in May last year. These documents were left in a briefcase in the social worker’s home during the night rather than in a secure location in the house. The social worker had obtained permission to take the documents home but they hadn’t received the relevant data protection training and therefore appropriate procedures were not followed. The social worker’s house was broken into that night and the burglar stole the briefcase with the documents inside. If the social worker had received the data protection training, they would have known that the documents should have been kept in a secure location in the house, preferably under lock and key.
Stephen Eckersley, The ICO’s head of enforcements claimed, “While Leicestershire County Council already recognised the risks associated with home working and had produced guidance for their staff, the guidance did not explain how papers containing personal information should be kept secure.”
Eckersley later argued, “Local authorities must recognise social workers are handling some of the most sensitive information available. The fact this information often relates to vulnerable young children means it is all the more important for these organisations to provide staff with adequate training and guidance on how to keep this information secure.”
A County Hall spokesman has responded to this outcome stating, “The county council takes data security extremely seriously. As soon as it became aware a briefcase had been stolen from a social worker’s house, the Information Commissioner was informed. We already have comprehensive information security arrangements in place and constantly explore how we can improve these. This case has led us to reorganise our priorities.”
The County Hall spokesman later added, “We have made it clear staff should not take confidential documents home unless it is absolutely necessary for their work and they have their manager’s permission. If they do take documents home, they must lock them in a secure place.”
This latest case of data loss suggests that many people are still acting reactively towards data loss incidents and not proactively. Surely questions should remain why the social worker was allowed to take the confidential court documents home in the first place as they hadn’t even received the relevant data protection training.