The Information Commissioner has given the public sector a harsh warning about the risks of email after two English councils were handed heavy fines for data breach incidents in which highly sensitive personal data was accidentally emailed to the wrong recipients.
The ICO fined Worcestershire County Council £80,000 for an incident in March 2011 in which a member of staff inadvertently emailed data on a large number of vulnerable individuals to 23 people on the wrong contact list.
Separately, North Somerset Council will be asked to pay a £60,000 fine for an incident late in 2010 in which a member of staff sent five emails regarding a child’s serious case review to the wrong NHS employee, a breach of the Data Protection Act.
For once, the latest cases do not involve the usual data loss culprit, USB sticks. The roots of both cases seem to be a mixture of personal mistakes and the limitations of email systems when used to distribute data to groups of professionals, neither of which the Councils involved seem to have anticipated going awry.
In the Worcestershire case, the ICO said that the Council had not taken steps to train staff on the use of mailing lists and should have considered alternative ways of distributing data given the risk of mistakes.
Mitigating the incident, the member of staff that sent the email in question had realised the mistake immediately and made attempts to contact the unintended recipients, all of whom worked for registered organisations.
The North Somerset was potentially more serious despite being on a far smaller scale. The member of staff was informed of the mistake after sending the first email to the wrong person but sent a further three messages in the same manner. Despite two of the Council’s assistant directors then highlighting the issue with the employee, a fifth email incident occurred.
“It is of great concern that this sort of information was simply sent to the wrong recipients by staff at two separate councils,” said Information Commissioner, Christopher Graham.
“It was fortunate that in both cases at least the email recipients worked in a similar sector and so were used to handling sensitive information. This mitigating factor has been taken into account in assessing the amount of the penalties.”
Last week, privacy and anti-surveillance organisation Big Brother Watch released a report which drew back a veil on the stunning scale of data loss by public sector organisations.
The organisation said it had details of 1,035 potential data loss incidents by local authorities in the three years to July 2011 - uncovered using Freedom of Information requests - of which only 55 had been reported to the ICO.