Council fined £120,000 after solicitor’s wayward e-mails breach data protection law

Data security: encryption failure

Stoke-on-Trent City Council has been fined £120,000 after an in-house solicitor sent highly sensitive information about a child protection case to the wrong e-mail address, rather than the barrister for whom it was intended.

It has led the Information Commissioner’s Office (ICO) – which levied the penalty for a “serious breach” of the Data Protection Act – to remind organisations that sensitive personal information should be encrypted when being stored and sent electronically.

The breach happened on 14 December 2011 when 11 e-mails were sent by a solicitor at the authority to the wrong address. The e-mails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The e-mails should have been sent to counsel instructed on a child protection case.

The e-mails also contained the brief to counsel, suggested directions and comments about the conduct of the case.

While the authority was able to establish that the e-mail address used was valid, the recipient failed to respond when asked to delete the e-mails.

The ICO’s investigation found the solicitor was in breach of the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the solicitor was not disciplined because the council had failed to provide the legal department with encryption software and knew the team had to send e-mails to unsecure networks. The council also provided no relevant training.

In reaching its decision, the ICO also took account of an undertaking previously signed by the authority in early 2010. During this incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.

Stephen Eckersley, head of enforcement at the ICO, said: “If this data had been encrypted, then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.

“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.

“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”

In a statement, the council said it had recently taken proactive extra measures to ensure data breaches are a thing of the past, including a new secure remote access systems for staff working from home, the encryption of all portable devices and media, blocking of unencrypted or non-council USB devices like iPhones and memory sticks, file encryption so that any information to be sent out of the council can be protected, a secure e-mail portal that allows it to communicate sensitive information safely with anyone outside the council and finally updating its anti-virus systems.

Steve Sankey, the council’s assistant director of business technology, said: “We have implemented a lot of new procedures and security measures that will help to prevent future breaches. It was prudent after the Information Commissioner’s Office notified us of our weaknesses that we acted immediately to improve the situation.”



    Readers Comments

  • Unfortunately it is always those meant to be protected that bear the pain of information leaks such as this. Lets hope the Council take this as seriously as the situation deserves!

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Building a brand – lessons from Cazoo

Building a brand takes more than money – just ask Alex Chesterman, the founder of ill-fated online used car retailer Cazoo, which collapsed into administration last month.

The future of organic search for law firms

In a significant turn of events, thousands of internal Google search API documents have recently been leaked, shedding light on the intricate workings of the search giant’s ranking algorithms.

Commercial real estate: The impact of AI and climate change

There is no doubt climate change poses one of the most complex challenges for the legal industry; nonetheless, our research shows firms are adapting.

Loading animation