Breach details
| What | Sensitive personal data was inappropriately disclosed. |
| How much | One record and one verbal remark. |
| When | April/May 2012 |
| Why | Sensitive personal data about one family was mistakenly included in the response to a subect access request made by another family; and in a seperate incident a student social worker revealed to the parent of a child under assessmet the first name of the peron who had made an anonymous referral about that parent. |
Regulatory action
| Regulator | ICO | Action | Undertaking to comply with the seventh data protection principle |
| When | 4 April 2013 |
| Details | Both incidents indicated a general lack of data protection awareness and training, along with a lack of management or checking procedures relating to subject access requests and supervision of non-employees, such as students on placement. However in this instance, the risk of substantial damage or distress was considered remote. The data controller undertakes to comply with the Seventh Principle with special regard to training, checking responses to subject access requests, reviewing existing policies and implementing new security measures where necessary. |
Links
| View PDF of the East Riding of Yorkshire Council Undertaking (Breach Watch Archive) |
| View PDF of the East Riding of Yorkshire Council Undertaking (Via ICO Website) |