The information Commissioner’s Office (ICO) has revealed details about an unintended data leak which saw Portsmouth City Council hand over sensitive information about a local resident, after a request was made for details relating to another person entirely.
The ICO said that this occurred after a subject access request, during which a worker neglected to fully redact the documents before distribution, allowing private information to leak.
The ICO investigated this incident and revealed some worrying facts. Firstly, the person who was charged with redacting the documents was not directly in the employ of the council and, secondly, they were not adhering to the regulations relating to terms of service.
In addition, the ICO concluded that staff had not been properly instructed on how to handle and protect personal data.
The ICO’s Mick Gorrill, said that this data loss incident could have been prevented had those involved been subjected to rigorous instruction relating to the requirements of the Data Protection Act, backed up by managerial support.
Mr Gorrill said that unnecessary stress and worry could have been caused as a result of these careless actions on behalf of the council, particularly as the individual who had details exposed was completely unrelated to the issue covered by the request.
The council has said that it is aware of the severity of this incident and will endeavour to make sure that it does not recur. The ICO is hoping that this event will act as further incentive to other local authorities around the UK, resulting in a greater degree of compliance with the DPA, even when outsourcing work to third party firms.
The council head, David Williams, followed in the footsteps of other leaders by committing to an ICO formal undertaking, that will require improved training and greater data monitoring within the organisation and across its external contractors.
Experts are concerned that the ICO’s powers to fine up to half a million pounds for data loss and DPA breaches, is not really enough to encourage public sector organisations to change their policies and improve security, leading some to call for greater powers to be handed out to the regulator.