Powys County Council

Breach details

What Disclosure of sensitive personal information.
How much 19 records.
When 4 February 2011
Why A member of the public received a children protection report on an unrelated child along with a document concerning her own child due to an employee of the data controller accidentally mixed in another colleague’s work when collecting printing from a shared printer. Although the Data Controller had said that they considered Data Protection training vital they had not made the completion of such training mandatory. This was the second of such incidents.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 130,000
Enforcement Notice Issued to ensure that by 31 March 2012 all staff with access to personal data must undergo full data protection training and that an accurate record must be kept of this training
When 6 December 2011

Why the regulator acted

Breach of act Data sent to an incorrect recipient.
Inappropriate organisational and technical measures.
Known or should have known Following the previous breach the risk was clear, but insufficient measures were taken to prevent this second breach.
Likely to cause damage or distress Data related to a child and has the potential for misuse.