By Brian Davidson, CIPP/E
Aberdeen City Council has been served with a 100,000 GBP penalty notice by the Information Commissioner’s Office (ICO) following a data breach that resulted in sensitive information relating to social services involvement with specific individuals, including children’s details, being published online.
The information was published after a council employee accessed documents, including reports and meeting minutes from her second-hand home computer which is thought to have had “auto-upload” program enabled, thereby automatically uploading the documents from her “my documents” folder to a website, and thereby publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences.
The ICO’s investigation found that the council had no relevant homeworking policy in place for staff and did not have sufficient measures in place to restrict the downloading of sensitive data from the council’s network. In addition, the council did not have any checks and procedures in place to determine whether the council’s existing data protection guidance was being followed in practice.
The files were originally uploaded between 8 and 14 November 2011 and remained published online until 15 February 2012–when another member of staff spotted the documents after carrying out an online search using their own name and job title. The council was then informed and the documents were removed before the incident was reported to the ICO.
A copy of the Monetary Penalty Notice is available here.
Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.