|Disclosure of sensitive personal information.
|4 February 2011
|A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.
|Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
|6 December 2011
Why the regulator acted
|Breach of act
|Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
|Known or should have known
|Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
|Likely to cause damage or distress
|Data related to a child and has the potential for misuse.