A city council has been fined £120,000 after one of its solicitors sent a series of emails relating to a child protection legal case to the wrong address.
The Information Commissioner’s Office (ICO) found Stoke-on-Trent Council in serious breach of the Data Protection Act after 11 emails were sent in December 2011.
They included highly sensitive information relating to the care of a child and further information about the health of two adults and two other children.
The emails should have been sent to counsel instructed on a child protection case. The wrong address was a valid address but the recipient failed to respond when asked to delete the emails. The ICO’s investigation found the solicitor was in breach of the council’s own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted.
However, the council had failed to provide the legal department with encryption software and knew that the team had to send emails to unsecure networks. The council also provided no relevant training.
The fine followed an undertaking by the authority in 2010 when data relating to a childcare case was lost after being stored on an unencrypted memory stick.
Stephen Eckersley, head of enforcement at the ICO, said: ‘If this data had been encrypted then the information would have stayed secure.’
He added: ‘Instead, the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure. It is particularly worrying that a breach in 2010 highlighted similar concerns around encryption at the authority, but the issue was not properly resolved.’
Steve Sankey, assistant director of business technology at the council, said there had been new procedures and security measures implemented.
‘It was prudent after the ICO notified us of our weaknesses that we acted immediately to improve the situation,’ he said.