An in-house solicitor dropped sensitive information about child protection cases in the street after taking documents home, the data protection watchdog has revealed.
The Information Commissioner’s Office (ICO) said it had received an undertaking from Oxfordshire County Council after the files were lost last July and handed in the next day to the police.
The documents related to three child protection cases and contained sensitive personal data, including a doctor’s report, a mental health and psychiatric report and other correspondence from medical professionals.
The solicitor had taken the paper files out of the office to work from home but dropped them in the street.
The council said it has put in place a new home-working policy which includes guidance on the security of paper documents for staff. Solicitors will have to complete mandatory data protection training and the council’s data protection policy will also be amended.
In a statement, Oxfordshire County Council said the loss was an ‘unfortunate incident’ which should not have happened and it confirmed ‘appropriate disciplinary action’ has been taken against the person involved, the details of which are confidential.
The statement added: ‘The county council referred itself to the information commissioner about this episode and is putting in place the recommendations which were fed back. Fortunately no harm was done and the misplacement of these documents had no negative bearing on the child protection cases they were to do with.’
The data breach emerged as the information commissioner warned lawyers to secure sensitive material after a spate of complaints.
In the past three months, the data protection watchdog has handled 15 incidents related to solicitors and barristers losing important client information.
Information commissioner Christopher Graham (pictured) described the number as ‘troubling’.
He said: ‘It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.’
The ICO is particularly concerned about lawyers carrying around large quantities of information in folders or files when taking them to or from court, and storing them at home.
The office can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act, provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.
In most cases these penalties are issued to companies or public authorities, but the ICO said barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.
Guidance for keeping personal information secures includes not leaving files in cars overnight, carrying only information that is essential, storing personal information on an encrypted memory stick and making sure email addresses are correct before sending an email.
When disposing of an old computer, owners should make sure all the information held on it is permanently deleted.