14 DAY TRIAL // The North Somerset Council and the Worcestershire County Council from the United Kingdom were fined by the Information Commissioner’s Office (ICO) with £60,000 ($93,000 or 56,000 EUR), respectively £80,000 (125,000 or 93,000 EUR) after they sent emails containing sensitive information to the wrong individuals.
“Personal information in cases involving vulnerable people is about the most sensitive personal information imaginable. It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils,” said Information Commissioner, Christopher Graham.
“It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.”
Worcestershire County Council received the fine for an incident that took place in March 2011, when one of their staff members inadvertently sent highly private information to 23 unintended recipients whose emails were contained in a different mailing list.
Even though in this case the recipients were actually collaborators and the risk of exposure is slim, the ICO considered that the council doesn’t have efficient policies that can prevent such incidents from occurring.
On the other hand, North Somerset Council had some policies in place for handling sensitive data, but it was to no good use. During November and December 2010, their employees sent sensitive information to wrong emails on five occasions, even after they received official warnings.
“There is too much of this sort of thing going on across local government. People who handle highly sensitive personal information need to understand the real weight of responsibility that comes with keeping it secure. Of course this includes having the correct training and policies in place, but it’s also about common sense,” Graham added.