Plymouth City Council

Breach details

What Loss of sensitive personal data (child protection).
How much 2 records.
When 23 November 2011
Why As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 19 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.