Hampshire County Council fined £100,000 by the ICO after a data breach at a former council site after failing to dispose the personal information of over 100 people
Hampshire County Council said it has taken immediate steps to address a data breach at a former council site after failing to dispose of the personal information of more than 100 people before selling on the property.
Town End House, in Havant, which was previously home to Hampshire County Council’s Adults and Children’s Services department, was sold in August 2014. The property housed social care files and forty-five bags of confidential waste which contained highly sensitive information about adults and children in vulnerable circumstances.
In a statement Hampshire County Council said it had reported the incident to the ICO as soon as it had become aware of the issue, adding that no information had been disclosed outside of the site.
The council said that “at no time was any information disclosed outside of the site”.
“Immediate steps were taken to investigate the matter fully, and remedial action was taken,” it added.
Hampshire apologised for the incident, claiming it took the management and protection of data “very seriously”. However, despite following what it described as appropriate procedures, the council admitted that they had not been properly followed in the case of this incident.
UK data regulator the Information Commissioner’s Office (ICO) carried out an investigation which found the council had failed to follow the law regarding the accidental loss or destruction of data. The authority was with a fine of £100,000 as a result.
Upon announcing the fine, ICO head of enforcement, Steve Eckersley, said Hampshire County Council had “put vulnerable people at risk.”
Hampshire’s ICO shows the costly data protection errors that can occur when councils are selling off parts of their property portfolio, as many have done.
In recent years, public sector IT managers groups Socitm has argued that councils and local authorities have much more work to do to improve information governance, citing a poor track record of compliance with the Data Protection Act.
As opposed to being the result of a technical issue or failure, the organisation cited problems with behaviour and the physical handling of information by councils, often resulting in multiple occurrences of the same form of incidents.
These include incorrect disclosure of data, physical loss of documents or information, theft of storage devices, errors with faxes or e-mail addresses and “papers being stolen from a pub”.