ICO slaps Welsh council with record £130,000 data breach fine

The Information Commissioner's Office (ICO) announced on Tuesday that it has served its highest data protection penalty fine of £130,000 to Powys County Council after details about a child protection case were sent to the wrong recipient.

The ICO gained the power to fine organisations up to £500,000 for serious breaches of the Data Protection Act in April last year, but has been reluctant to do so, preferring to educate rather than punish offenders.

Anne Jones, ICO assistant commissioner for Wales, said that the fine follows two others imposed on UK councils in the past three weeks after the disclosure of sensitive information about vulnerable people.

"It's the most serious case yet and it has attracted a record fine. The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts," she said.

The Powys data protection breach occurred when two separate reports about child protection cases were sent to the same shared printer, according to the ICO.

It is believed that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked.

The recipient of the two pages of the report knew the parent and child whose personal details were included in the papers, and complained to the council.

No particular individual has been named by the ICO as responsible for the mistake.

"There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK's local government sector to discuss how we can support them in addressing these problems," said Jones.

The ICO enforcement notice places a legal requirement on Powys County Council to train its entire staff to follow the council's guidance on the handling of personal data by 31 March 2012, with refresher training provided every three years.