Breach details
What | Loss of sensitive personal data (child protection). |
How much | 2 records. |
When | 23 November 2011 |
Why | As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user. |
BW Comments
A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed. |
Regulatory action
Regulator | ICO | Action | Monetary penalty of £ 60,000 |
When | 19 November 2012 |
Why the regulator acted
Breach of act | Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided. |
Known or should have known | The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error. |
Likely to cause damage or distress | The information concerned child protection and could have have resulted in “physical harm or blackmail”. |
BW Observations
It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed. |
Links
View PDF of the Plymouth City Council Monetary Penalty Notice (Breach Watch Archive) |
View PDF of the Plymouth City Council Monetary Penalty Notice (Via ICO Website) |