In a recent case, Stoke-on-Trent Council was fined £120,000 after one of its employees emailed sensitive information about a child protection case to the wrong person.
An investigation by the Information Commissioner’s Office (ICO) found that the employee breached the council’s guidance policy which stated that sensitive information should be encrypted or sent over a secure network.
However, in this case, the council had failed to provide encryption software and knew that emails were being sent to unsecure networks. The council had also failed to provide relevant training.
Stephen Eckersley, Head of Enforcement at the ICO, said: “If this data had been encrypted then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what i
s a simple and widely used security measure.
“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”
The ICO says that anyone who processes personal information must comply with eight principles of the Data Protection Act. It’s essential to ensure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with people’s rights
Secure
Not transferred to other countries without adequate protection
Please contact us if you would like more information about the issues raised in this article or any matter relating to business regulations.
