Devon County Council

Posted on by

Breach details

What Loss of sensitive personal data
How much Personal data relating to approximately 22 data subjects.
When 12 May 2011
Why A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 10 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.

Links

View PDF of the Devon County Council Monetary Penalty Notice (Breach Watch Archive)
View PDF of the Devon County Council Monetary Penalty Notice (Via ICO Website)