ICO hits Scottish council with record £140,000 fine for data loss incidents

The Information Commissioner's Office (ICO) has issued a £140,000 fine to Midlothian Council in Scotland, its largest to date, after information on children and their carers was sent to the wrong recipients.

The incidents occurred on five separate occasions between January and June 2011 in yet another example of poor data handling in the public sector.

Ken Macdonald, assistant commissioner for Scotland, chastised the council for its failure to keep the documents and their information secure. He said he hoped the fine would serve as a warning to all organisations to keep sensitive data secure.

"Information about children's care is some of the most sensitive information a local authority holds. It is of vital importance that this information is protected and that robust policies are followed before it is disclosed," he said.

"The serious upset that these breaches would have caused to the children's families is obvious and it is extremely concerning that this happened five times in as many months."

The ICO added that it believed the incidents were all avoidable if better data protection policies, training and checks were in place.

It also highlighted the need for organisations to ensure the records held in databases are up-to-date and properly managed.

The watchdog also used the case to repeated its call for the power to be able to conduct compulsory audits of public sector organisations such as councils and NHS bodies as it looks to clamp down on lax data handling.

Councils have been on the receiving end of the bulk of the fines issued by the ICO in recent months, with Powys Council in Wales recently hit with a fine of £130,000 for a similar incident relating to information on children protection cases in December.