Breach details
| What | Loss of sensitive personal information on three occasions. |
| How much | 241 records. |
| When | May – June 2010 |
| Why | Records were accidently sent out in an email copied to a global distribution list, minutes of a confidential strategy discussion erroneously emailed to a newsletter distribution group. Additional records were erroneously emailed to an incorrect internal email group. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 120,000 |
| When | 9 June 2011 |
Why the regulator acted
| Breach of act | Emails were unencrypted and sent to the wrong recipients. Inappropriate organisational and technical measures. |
| Known or should have known | The risk of incorrect drop down boxes being selected were “self evident”. |
| Likely to cause damage or distress | Records related to special needs. |
Links
| View PDF of the Surrey Council Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the Surrey Council Monetary Penalty Notice (Via ICO Website) |