Breach details
| What | Inappropriate disclosure of sensitive personal information. |
| How much | Two records. |
| When | 12 November 2010 |
| Why | A council employee accidently sent five emails (on separate occasions), two of which contained highly sensitive information relating to a child’s serious case review, to the wrong NHS employee. |
Regulatory action
| Regulator | ICO | Action | Monetary penalty of £ 60,000 |
| When | 28 November 2011 |
Why the regulator acted
| Breach of act | Staff not given sufficient information governance training and management should have signed off on emails, ensuring that all sensitive data was encrypted. Inappropriate organisational and technical measures. |
| Known or should have known | Data controller was used to handling confidential and sensitive data and should have been aware of the “self evident” risks of drop down email menus. Repeated breaches demonstrate this fact. |
| Likely to cause damage or distress | Data related to vulnerable individuals and could be misused. |
Links
| View PDF of the North Somerset Council Monetary Penalty Notice (Breach Watch Archive) |
| View PDF of the North Somerset Council Monetary Penalty Notice (Via ICO Website) |