The Information Commissioner's Office (ICO) handed the penalty to Midlothian Council for the incidents that occurred in January, May and June last year. It is the first time the ICO has issued a fine to a Scottish organisation and is the highest penalty it has ever issued for a breach of data protection laws.
The breaches could have been prevented if the council had appropriate data protection safeguards in place, the ICO said.
“Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds," Ken Macdonald, assistant commissioner for Scotland, said in a statement.
"It is of vital importance that this information is protected and that robust policies are followed before it is disclosed. The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure," he said.
An individual had informed Midlothian Council in March 2011 that they had been wrongly sent documents about a child's social care. A staff member at the council's Children and Families Service had been working on several files at the time of the breach, according to the monetary penalty notice (12-page / 1.61MB PDF) the ICO served the council.
However, the council did not take "reasonable steps" to prevent four further breaches of personal data happening after being informed of the first incident, the ICO said.
The fifth and final breach involved a social worker sending a letter containing details about the status of a foster carer to seven people who had attended a "child case conference," the ICO said. Papers relating to the conference and the foster carer had been mixed up during printing and resulted in the information about the carer being sent to the wrong people, it said.
The ICO ordered Midlothian Council to keep personal data secure and up to date. Personal information contained on the council's database was inaccurate, an investigation by the council had revealed. The council is also to alter its data protection policy to include specific rules about how social services staff should handle personal data. Staff at the council will also be required to cross-check outgoing letters if they contain sensitive or confidential data prior to them being sent, whilst data protection training at the council will also be improved, the ICO said.
Under the Data Protection Act organisations in control of personal data are required to keep accurate records of personal data and take "appropriate technical and organisational measures" to prevent "unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act requires extra care around the handling of sensitive personal data, such as information relating to individuals' "physical or mental health or condition".
Under the Act the ICO has the power to issue fines of up to £500,000 for serious breaches of personal data.