Data security: encryption failure
Stoke-on-Trent City Council has been fined £120,000 after an in-house solicitor sent highly sensitive information about a child protection case to the wrong e-mail address, rather than the barrister for whom it was intended.
It has led the Information Commissioner’s Office (ICO) – which levied the penalty for a “serious breach” of the Data Protection Act – to remind organisations that sensitive personal information should be encrypted when being stored and sent electronically.
The breach happened on 14 December 2011 when 11 e-mails were sent by a solicitor at the authority to the wrong address. The e-mails included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The e-mails should have been sent to counsel instructed on a child protection case.
The e-mails also contained the brief to counsel, suggested directions and comments about the conduct of the case.
While the authority was able to establish that the e-mail address used was valid, the recipient failed to respond when asked to delete the e-mails.
The ICO’s investigation found the solicitor was in breach of the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the solicitor was not disciplined because the council had failed to provide the legal department with encryption software and knew the team had to send e-mails to unsecure networks. The council also provided no relevant training.
In reaching its decision, the ICO also took account of an undertaking previously signed by the authority in early 2010. During this incident sensitive data relating to a childcare case was lost after being stored on an unencrypted memory stick. At the time the council agreed to introduce improvements to keep people’s data secure, including the introduction of encryption for portable devices used to store personal data.
Stephen Eckersley, head of enforcement at the ICO, said: “If this data had been encrypted, then the information would have stayed secure. Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.
“It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.
“The council has now introduced new measures to improve the security of information sent electronically, as well as signing a legal notice to improve the data protection training provided to their staff. This should limit the chances of further personal information being lost.”
In a statement, the council said it had recently taken proactive extra measures to ensure data breaches are a thing of the past, including a new secure remote access systems for staff working from home, the encryption of all portable devices and media, blocking of unencrypted or non-council USB devices like iPhones and memory sticks, file encryption so that any information to be sent out of the council can be protected, a secure e-mail portal that allows it to communicate sensitive information safely with anyone outside the council and finally updating its anti-virus systems.
Steve Sankey, the council’s assistant director of business technology, said: “We have implemented a lot of new procedures and security measures that will help to prevent future breaches. It was prudent after the Information Commissioner’s Office notified us of our weaknesses that we acted immediately to improve the situation.”
