Peter A Clarke

The facts were almost comical.  In February this year a harried social worker gets to her car with a bundle of court documents under her arm.  To get to her keys she puts the documents on the roof of the car.  She opens the door and hops into the car and drives off to her next appointment.  The court documents disappear into the wind, onto a gutter or down a drain along the route, never to be seen again.  They possibly found their way into the hands of someone not entitled to read them. The documents contained personal and very sensitive details about 27 people, of which 14 were children.

Whatever else it was, it was  a significant data breach. Which has attracted the no doubt unwanted attention of the UK Information Commissioner’s Office (the “ICO”). As is often the case when a data breach occurs and the regulator becomes involved it is not just the circumstances that lead to the breach that becomes the subject of enquiry.  The whole compliance regime is reviewed.  And often found wanting.   That occured here and resulted in the Council entering an undertaking to improve its control on data.

The ICO’s media release provides:

A London council has been warned to toughen up the way it protects personal information after a social worker left court documents on the roof of her car and drove off.

The London Borough of Ealing has signed up to a series of measures drawn up with the Information Commissioner’s Office to improve its data protection practices following the incident.

Personal data, some of it sensitive, relating to 27 people and including 14 children was lost when the social worker accidentally left them on top of her car in February this year. The documents have never been recovered.

Sally-Anne Poole, enforcement manager at the ICO, said:

“This council failed to follow our previous advice that it needed to improve training to make sure staff know how to look after personal information.

“Many of us have no choice but to take work out of the office. But when that work includes personal data, there is an obligation to ensure it’s kept safe. People have a right to expect that will happen.

“Losing personal data – especially sensitive data – can cause damage and distress to the people involved.”

More than a quarter (27%) of social workers in the council’s children’s services department were temporary. One of the failings the ICO’s investigation found was that the council had no record of how many of these temporary staff had completed refresher data protection training. 

Ms Poole said:

“It’s vital that if councils are using temporary staff they make sure they, as well as permanent staff, are up to speed with how to look after people’s personal information.”

The undertaking signed by Ealing Council outlines a series of commitments including improving staff training in data protection and reviewing policies around how documents are protected when taken out of the office.

The undertaking relevantly noted:

• only 68% of permanent staff within Social Care had completed refresher Data Protection training. This figure does not include the 27o/o of staff within Children’s services made up of locums. The council are therefore unable to determine if those locums have completed refresher training from records held [6].
• no records were available relating to the requirements of the council’s’Paper Records Secure Handling and Transit’ policy. This refers to the requirement for a management approval request to be made for removal of documents from the council’s office and that, having been granted consent, document details are entered into in the office log for reference in case of loss. The Commissioner was also made aware that secure lockable cases had previously been made available but were no longer so [8].

The terms of the undertaking provides:

The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part Iof Schedule 1to the Act, and in particular that:

(1) The council continue to work toward achieving their stated target for 100°/o completion of mandatory, online data protection refresher training for all permanent, locum and temporary Social Care staff who handle personal data by 3 April That the same monitoring and recording processes for the completion of this training are applied to those locum, temporary and permanent social care staff.

(2) The Recording and monitoring of initial and refresher data protection training for non-permanent staff employed in all other departments of the council involved in the handling of personal data is performed as (1)

 (3)The council ensures the use of MetaCompliance is a sufficiently robust mechanism for delivering and measuring refresher DP related training to meet the council’s stated objective of an annual requirement.

(4) The LBE Management Investigation Recommendations, which are welcomed Commissioner, are progressed as follows:

a) The review and, if found to be necessary, implementation of an updated Paper Records Secure Handling and Transit Policy is completed by 3 April 2017.

b) That, where changes result from the above, made aware, via MetaCompliance  or similia Council’s revised policy for the secure hanu11ng ano transit of personal data and this policy forms part of future data protection training programmes where appropriate.

 c) That availability of lockable cases in each area office is completed by 3 April 2017 and that similar arrangements are made in all council departments where removal of similar documents containing personal data from the office is a requirement

d) That the review of providing Social Workers from localities teams with access to mobile working devices when attending court is completed with recommendations made by 3 April

e) That the review with the Legal Social Care and Education Department, regarding roles and responsibilities for printing and transporting documents required as part of court bundles, is completed with recommendations made by 3 April 2017

 (5) The data controller shall implement such other security measures as are appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/ or damage.

Closer to home there has been a significant data breach Kingston Council in Melbourne.  A group email to 952 people enclosed a spread sheet which contained very sensitive information relating to 2,112 people.  The reportage by the ABC provides:

A local council in Melbourne’s south-east is embroiled in a privacy breach, after the personal details of more than 2,000 residents were accidentally distributed to the public.

A survey was emailed to 952 clients of the City of Kingston Maternal and Child Health Service on Wednesday, but there was an excel spreadsheet attached containing personal information, including dates of birth, addresses and mobile phone numbers of 2,112 people.

City of Kingston CEO John Nevins apologised for what he described as an unacceptable privacy breach.

“We’re taking immediate action to independently investigate how this occurred,” he said.

“We immediately notified the privacy commissioner yesterday afternoon and we’ll be working closely with the Privacy Commissioner and acting on all his recommendations.”

One of the victims, Samantha Stayner, told 774 ABC Melbourne there were enough details for someone to steal her identity

“It’s my last name, first name, date of birth, my title just Ms, my home address, an alternative postal address if I had one, my mobile number and home number and also my email address,” she said.

“I was shocked and I felt a little bit sick.”

Ms Stayner, who is a producer at 774, said she replied to the council to alert them to their error, but had yet to receive an apology.

“I think just realising the size of this document, I thought ‘gosh, that’s a lot of people’ and the scenarios go through your head,” she said.

“You hope that there aren’t people on that list for whatever reason need to have their identities kept private, it’s a little worrying.”

Mr Nevins said an email was sent on Wednesday night to everyone who received the email, apologising and asking people to delete it.

The Privacy Commissioner has been asked to investigate a major privacy breach involving the Kingston City Council in Melbourne’s southeast, where personal details of thousands of residents were made public.