Dozens of data protection breaches at Welsh councils
Welsh local authorities broke data protection laws more than 60 times during 2012. BBC Wales’ Welsh-language news website Newyddion Arlein obtained the information in a Freedom of Information request.
It found one case where a worker allowed their partner to access and amend personal data, several cases of posting personal data on websites, and an e-mail which accidentally disclosed sensitive details of 24 people who had died.
Seven of the 22 local authorities in Wales said they had recorded no breaches last year.
One of the worst councils for data breaches was Powys where there were 17 incidents during 2012 including five internal cases of misdirecting information, and 12 of sending information to the wrong address, recording wrong personal data in correspondence, and placing personal data on the council’s website.
There were seven cases recorded at Cardiff council. Among them were a member of staff accidentally sending an email to a number of third party individuals which disclosed sensitive details of 24 people who had died. However, the Data Protection Act does not apply to the deceased.
Also at Cardiff council, a worker sent an e-mail with sensitive personal data to the wrong person internally and a planning file containing personal data was lost.
There were seven cases in Wrexham Council. On two occasions the social services department mistakenly shared information with a third party; e-mail addresses of subscribers to the housing department portal were shared by mistake, and the council failed to respond to a request for data within the necessary 40 days four times.
Four cases were recorded in Flintshire council and disciplinary action was taken against one worker who allowed a partner to access and amend personal data.
There were no breaches in 2012 in Blaenau Gwent, Merthyr Tydfil, Monmouthshire, Rhondda Cynon Taf, Torfaen, Swansea and the Vale of Glamorgan.
The Information Commissioner’s Office said: “It’s vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.
“Our concern isn’t just that councils have the right policies and procedures in place; it’s about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.”