The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent City Council £120,000 for failing to provide its legal department with encryption software, where a solicitor sent emails to the wrong address.
This is the second data breach for the Council in recent years. In early 2010 it signed an undertaking with the ICO after sensitive data relating to a childcare case was lost on an unencrypted memory stick.
The latest incident happened on 14 December 2011 when 11 emails containing highly sensitive information relating to the care of children were sent to the wrong address. The authority was able to establish that the email address used was valid, but the recipient failed to respond when asked to delete the emails.
Although the ICO investigation found that the solicitor was in breach of the council’s own guidelines, it had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.
Stephen Eckersley, Head of Enforcement at the ICO, said: “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.
“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.
He added: “The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”
Last month the ICO fined Scottish Border Council £250,000 under the Data Protection Act for not putting in appropriate guarantees when it outsourced responsibility to an external company to digitise employees’ pension records.