Email blunder costs council £65,000
Cheshire East Council is slapped with a hefty fine after an email containing sensitive information was passed on to the wrong recipients.
The Information Commissioner's Office (ICO) has brought down the hammer again, this time on Cheshire East Council.
The council was ordered to pay 80,000 for failing to take appropriate measures to ensure the security and appropriateness of disclosure when emailing personal information.
However, East Cheshire Council said the fine has been reduced to 65,000 in order to encourage earlier payment. This represents approximately 80 per cent of the entire fine.
In May 2011, a council employee was asked to contact the local voluntary sector co-coordinator to alert local voluntary workers to a police force's concerns about an individual who was working in the area, the ICO said.
The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients.
The employee sent the email to the coordinator via her personal email account instead of the council's secure system. According to the ICO, the email contained the name and an alleged alias of the individual, as well as the police's concerns about him.
The coordinator then forwarded the email to the intended 100 recipients. However, because the email did not contain any clear instructions as to how the information should be handled, the recipients forwarded the information to a total of 180 unintended recipients.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"While we appreciate that it is vitally important for genuine concerns about individuals working in the voluntary sector to be circulated to relevant parties, a robust system must be put in place to ensure that information is appropriately managed and carefully disclosed," said Stephen Eckersley, head of enforcement at ICO.
"Cheshire East Council also failed to provide this particular employee with adequate data protection training. The highly sensitive nature of the information and the need to restrict its circulation should have been made clear to all recipients."
The council has made efforts to prevent further damage by recalling the sensitive email. So far, 57 per cent of the recipients confirmed that they had deleted the email.
In addition to recalling the email, the council has also issued an apology to the person involved.
"This incident has prompted us to scrutinise our policies and procedures very carefully to make sure that this never happens again," said council chief executive Erika Wenzel.
"Staff will be receiving extra training and support in this area and all staff are being urged to remain extremely vigilant with the way sensitive information is handled and distributed."
On Monday, the ICO handed out hefty fines to Norfolk County Council and Croydon Council, meaning the ICO had fined organisations over 1 million in total.
"I hope this case along with the fact that we've handed out over one million pounds worth of penalties since our powers came into force acts as a strong incentive for other councils to ensure that they have sufficient measures in place around protecting personal data," Eckersley said at the time.