Council fined £120,000 after solicitor’s wayward e-mails breach data protection law

Print This Post

By Legal Futures

26 October 2012

Data security: encryption failure

Stoke-on-Trent City Council has been fined £120,000 after an in-house solicitor sent highly sensitive information about a child protection case to the wrong e-mail address, rather than the barrister for whom it was intended.

It has led the Information Commissioner’s Office (ICO) – which levied the penalty for a “serious breach” of the Data Protection Act – to remind organisations that sensitive personal information should be encrypted when being stored and sent electronically.

The breach happened on 14 December 2011 when 11 e-mails were sent by a solicitor at the authority to the wrong address. The e-mails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The e-mails should have been sent to counsel instructed on a child protection case.

The e-mails also contained the brief to counsel, suggested directions and comments about the conduct of the case.

Error, group does not exist! Check your syntax! (ID: 14)

While the authority was able to establish that the e-mail address used was valid, the recipient failed to respond when asked to delete the e-mails.

The ICO’s investigation found the solicitor was in breach of the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the solicitor was not disciplined because the council had failed to provide the legal department with encryption software and knew the team had to send e-mails to unsecure networks. The council also provided no relevant training.

In reaching its decision, the ICO also took account of an undertaking previously signed by the authority in early 2010. During this incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.

Stephen Eckersley, head of enforcement at the ICO, said: “If this data had been encrypted, then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

In a statement, the council said it had recently taken proactive extra measures to ensure data breaches are a thing of the past, including a new secure remote access systems for staff working from home, the encryption of all portable devices and media, blocking of unencrypted or non-council USB devices like iPhones and memory sticks, file encryption so that any information to be sent out of the council can be protected, a secure e-mail portal that allows it to communicate sensitive information safely with anyone outside the council and finally updating its anti-virus systems.

Steve Sankey, the council’s assistant director of business technology, said: “We have implemented a lot of new procedures and security measures that will help to prevent future breaches. It was prudent after the Information Commissioner’s Office notified us of our weaknesses that we acted immediately to improve the situation.”


Tags: ,

One Response to “Council fined £120,000 after solicitor’s wayward e-mails breach data protection law”

  1. Unfortunately it is always those meant to be protected that bear the pain of information leaks such as this. Lets hope the Council take this as seriously as the situation deserves!

  2. Kerry Quinn on October 26th, 2012 at 10:28 am

Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

The LSB’s proposals for legislative reform: let’s be clear

Caroline Wallace LSB

The publication of the Legal Services Board’s vision for legislative reform of legal services regulation on 12 September has generated a healthy level of interest and debate. This can, on the surface, seem a somewhat dry subject. However, it has an impact not just on existing regulated practitioners, but also on providers of legal services more generally, as well as everyone who uses or benefits from an effective legal sector. And, let’s face it, that’s all of us.

October 25th, 2016