Out-Law News 2 min. read
30 Aug 2013, 3:04 pm
The watchdog said that it is in discussions with Aberdeen City Council in relation to drafting formal undertakings that the Council would commit to "to improving its compliance with the Data Protection Act". Undertakings are being discussed after the ICO issued the Council with a monetary penalty notice for what it said was a serious breach of the Data Protection Act (DPA).
A female employee at the Council who was working from home accessed documents containing sensitive details about social services' involvement in cases relating to the care of vulnerable children and details of alleged criminal offences. Software installed on the employee's home computer automatically uploaded the documents to a website where they remained for more than three months until another colleague spotted them in February 2012.
The Council deleted the files from the website and reported the incident to the ICO. The watchdog decided that the case merited the serving of a monetary penalty notice. It said that the Council "did not consider the impact homeworking might have on data security" and said its data protection policy was "impractical and ambiguous".
"As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said.
"In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months. We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working setup is up to scratch," he said.
Under the DPA the ICO has the power to issue penalties of up to £500,000 for serious data breaches.
The Act requires organisations to take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data" and requires organisations to be extra protective over sensitive personal data, such as information about criminal offences, due to the harm that can result from its unauthorised disclosure.
In April the ICO conducted a data protection audit of Aberdeen City Council (6-page / 108KB PDF) that focused on data protection governance, training and awareness provisions and monitoring and the security of personal data that the Council has in place.
In its audit report published in June, the ICO said that, following its audit, it has a "reasonable level of assurance" that the Council's "processes and procedures" deliver data protection compliance, although it did identify some areas for improvement.
An Aberdeen City Council spokesman said: "Aberdeen City Council takes data protection extremely seriously and self-reported the matter to the Information Commissioner's Office when it came to light. Policies and procedures for handling sensitive and personal information have since been significantly overhauled to ensure that they are as robust as possible".
"A data protection audit report on the City Council by the ICO this summer found that a comprehensive suite of up-to-date data policies are in place, strong arrangements are in place concerning a wide range of routine data sharing, and the content of data protection and information security training material used by ACC is detailed and thorough," he said.
The Council is not likely to appeal the decision, he said.
Editor's note 2/09/13: The story was updated to include comments from an Aberdeen City Council spokesman.
