The Information Commissioner’s Office (ICO) has ordered the Council of the Isle of Scilly to implement a new data protection regime after it failed to take adequate action in response to two data breaches.
The two incidents involved personal information relating to two separate disciplinary investigations being emailed more widely than they should have been.
Following consideration of remedial action taken by the council following the incidents, the commissioner has now issued an enforcement notice under section 40 of the 1998 Data Protection Act.
ICO head of enforcement Stephen Eckersley said: “Personal data must be handled securely and safely. The council has failed to do so and must now make immediate changes.
“The people of the Isles of Scilly need to be confident their council understands and complies with the law. Our undertaking will help ensure they do so.”
The first incident took place in June 2013 when an attachment including unredacted personal data relating to third parties was emailed in error to an employee who was subject to a disciplinary hearing and their union representative.
The commissioner’s initial investigation found that whilst the individual who sent the email was “aware of the information governance implications of sending such data via this medium, in general there was no formal data protection training in place at the authority”.
The second incident, which came to light in September 2013, involved the disclosure of two documents containing sensitive personal data relating to an investigation into the conduct of a former headteacher.
The documents, an audit report and the transcript of an interview ended up in the public domain.
The investigation by the ICO found that the documents had been emailed to non-corporate personal email accounts without password or encryption protection.
Its report said: “A number of persons and organisations were privy to the information and the council considered that they had a legitimate business need to receive the information.
“However, weaknesses surrounding the distribution of the documents, which prevented the effective control of the information contained within them, were identified…”
After reviewing measures taken by the council to remedy the situation, the ICO has ordered council chief executive Theo Leijser to sign an undertaking to:
- implement and enforce mandatory data protection training in relation to the use of personal data;
- set up a refresher programme to ensure that data protection training is usdated at regular intervals;
- draft and communicate guidance relating the safe transfer of personal data by email, including provisions relating to encryption
- draft a policy on the application of redactions;
- implement other measures to ensure personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage;
- Monitor compliance with internal policies on data protection and ICT security.