Hundreds of data protection breaches investigated at Norfolk and Suffolk councils
PUBLISHED: 06:46 19 June 2017 | UPDATED: 08:32 19 June 2017
There have been hundreds of data protection breaches at our councils in the last two years, including information sent to the wrong people, being lost or even stolen.
This newspaper asked Norfolk County Council for details of data protection breaches under the Freedom of Information Act, after it was fined £60,000 by the Information Commissioner’s Office (ICO) in March for leaving files that included sensitive information about children in a cabinet sent to a second hand shop in April 2014.
In the same year, another serious data protection breach was referred to the ICO by the council. In this case information was left insecure and released “inappropriately” to a third person, the council said.
The ICO visited the council last year to investigate its data protection measures.
It found there was “reasonable assurance” that “processes and procedures are in place and delivering data protection compliance”.
However, over the last two years, there have been 280 breaches investigated by the council. The most common was information being sent to the wrong email or postal address. This happened 112 times.
That was followed by information “inappropriately” disclosed in writing or orally to people outside of the council, which happened 67 times.
There were also breaches from equipment being stolen (once), and information or equipment being lost (12 times).
On six occasions information was inappropriately accessed by council employees.
This newspaper also asked the council how many of these breaches resulted in disciplinary proceedings. They said this happened in a “small number of cases” but would not say how many.
A spokesman for the council said: “We handle a huge amount of personal data every day and we take our duty to protect data seriously. So we decided to record every data incident no matter how small and carefully investigate and review these incidents with a view to taking our findings into account in our procedures for staff and in our training.
“In many cases there has been no loss of data or sharing of data outside of the authority; for example, many relate to emails sent to the wrong person within the organisation.”