Midlothian Council fined for child data breaches

Midlothian Council has been hit with a £140,000 fine after its social services department sent sensitive information about children and their families to the wrong recipients on five separate occasions.

The five serious data breaches occurred between January and June 2011. In one case, papers relating to the status of a foster carer were sent to seven healthcare professionals, who had no reason to see the information.

In another, minutes of a child protection conference were sent in error to the former address of a mother’s partner, where they were opened and read by his ex-partner. The papers contained personal data about the children’s mother, who made a complaint to her social worker about the incident.

The first breach, which occurred in January 2011, did not come to light until March, when the council began an investigation. But this did not prevent further similar incidents taking place in May and June.

The £140,000 penalty is the first that the Information Commissioner’s Office (ICO) has served against an organisation in Scotland. The ICO’s investigation found that all five breaches could have been avoided if the council had adequate data protection policies, training and checks in place.

Ken Macdonald, assistant commissioner for Scotland, said the fine should remind authorities across the UK to make sure that the personal information they handle is kept secure.

“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds,” he said. “It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.  

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months.”

The ICO is now calling on government to provide it with stronger powers to audit local councils’ data protection compliance – if necessary without consent.

A statement from Midlothian Council said the authority has told the ICO about eight cases in which confidential information was sent to the wrong recipients. The fine of £140,000 has been imposed for five of these cases, with the ICO still to consider the other three.

“All [cases] were human error and a number of staff have been disciplined,” the statement said. “All the information was retrieved or destroyed.

“Existing procedures have been further strengthened and an independent expert is to be brought in to ensure the council has done all it can to minimise recurrence.”