The Information Commissioner's Office (ICO) has hit Stoke-on-Trent City Council with a £120,000 fine after a member of staff emailed sensitive information relating to a child protection case to the wrong person.
The error is the latest in a long-line of embarrassing mistakes by councils that have led to heavy fines from the ICO. The data watchdog has repeatedly called on the public sector to improve data handling processes.
In total 11 emails were sent in error by a solicitor at the authority working on a child protection case, on 14 December, 2011. The council subsequently asked the recipient of the emails to delete them, but they never responded.
The ICO's investigation into the incident discovered that the solicitor should have sent the data over a secure network, or encrypted the information based on the Council's policies.
However, the legal department had not been provided with the necessary software to encrypt data and was working on an unsecured network, which the council was aware of. Training was not provided to staff on data handling requirements either.
"If this data had been encrypted then the information would have stayed secure," said Stephen Eckersley, head of enforcement at the ICO.
"Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure."
The incident is even more shameful for the council because it had already signed an undertaking with the ICO in early 2010 promising to improve data handling procedures when an unencrypted USB stick containing sensitive data was lost.
"It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved," added Eckersley.
Stoke Council said it was implementing changes as a result of the fine including a secure remote access systems for staff working from home, the encryption of all portable devices and media, and the banning of unencrypted or non-council USB devices like iPhones and memory sticks.
"We have implemented a lot of new procedures and security measures that will help to prevent future breaches," said Steve Sankey, assistant director of business technology.
"It was prudent after the ICO notified us of our weaknesses that we acted immediately to improve the situation. I am now confident that the right tools have been made available to make sure the information is as secure as it could be while enabling staff to work effectively."
The fine of £120,00 could be reduced to £96,000 if the Council pays up before 23 November.
Earlier this month the ICO hit the Greater Manchester Police (GMP) with a fine of £120,000 after the theft of an unsecured USB stick containing details on over 1,000 people with links to serious crime investigations.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software