14 DAY TRIAL // The Information Commissioner's Office fined the Surrey County Council with £120,000 for emailing personal information to the wrong addresses on three separate occasions.
The first data breach occurred in May 2010 when an employee with one of the council's Adult Social Care Teams was asked by her manager to compile an Excel spreadsheet about adult social care service users.
The information included names, types of accommodation, support needs, days of attendance at the Day Service Centre and means of transport.
Other details about their needs were also added to the file, including wheelchair use, autistic spectrum, mental health, downs syndrome, dementia, epilepsy, hearing impairment, visual impairment, physical disabilities, and others.
The employee expressed concern about receiving the task because she was not properly trained to carry it out and had no experience with Excel.
Nevertheless, she was instructed to do it and as a result she erroneously emailed the file to a email distribution list consisting of contacts in 361 transportation companies.
The council tried to recall the email, but since it went to email servers outside of the organization, the effort failed. It then sent a secondary email asking everyone to delete the Excel spreadsheet.
A second data breach occurred the following month, in June 2010, when one of the council's employees emailed a Minutes of a Strategy Discussion document containing confidential personal data to a newsletter which included external recipients.
This was followed by yet another leak in January this year when a Family Support Worker with the council's Children's Services sent two sensitive documents to the wrong internal team.
"[...] The data controller had failed to take appropriate technical and organisational measures against unauthorised processing of personal data such as providing its employees with appropriate IT training and support, establishing naming conventions for group email distribution lists that cannot easily be mistaken by its employees and considering a more secure means of transmission such as encrypting any emails that contain sensitive personal data," the ICO said. [pdf]
"The Commissioner considers that the contravention is serious because the measures did not ensure a level of security appropriate to the harm that might result from such unauthorised processing and the nature of the data to be protected," it concluded.