|Breach of act
||Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
|Known or should have known
|| The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
|Likely to cause damage or distress
||The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.