Surrey council has been hit with a heavy fine from the ICO (Information Commissioner’s Office).
The council was handed the large penalty because it managed to drop the data ball on three separate occasions, with two breaches suffered last year and one in January of this year.
The first was the most serious spillage, when in May 2010 the personal details relating to the health of 241 vulnerable individuals were emailed to the wrong group email address.
Information Commissioner Christopher Graham said that this disaster was compounded when the council clearly hadn’t learned its lesson from this episode, managing to misdirect another email in June 2010, containing unencrypted personal information on further folks.
And then in January 2011 another email went astray, although this time just an internal one.
Graham handed out the £120,000 fine, noting: “This significant penalty fully reflects the seriousness of the case.”
He continued: “Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings and this case should act as a warning to others that lax data protection practices will not be tolerated.”
Since the incidents, Surrey council has taken action to improve its security policies, including the development of an early warning system which lets staff know when sensitive information is being sent to an external email address.
Staff have undergone further IT training, too, perhaps being schooled in actually looking at the names listed in that funny little window with “To” next to it before they click “Send”.