Watchdog finds that Nottinghamshire County Council failed to keep personal data – including care needs and postcodes – safe

The UK’s information watchdog has handed down a £70,000 fine to Nottinghamshire County Council after it left the personal information of vulnerable social care users accessible to anyone for almost five years.

Under the Data Protection Act, organisations are required to take appropriate steps to keep personal data safe.

But the Information Commissioner’s Office – which upholds information rights in the UK – found that an online portal created by the council left highly personal information about service users fully exposed.

Related articles

• ICO appoints deputy chief executive and deputy commissioner
• ICO bids to promote data protection and privacy research with grants programme
• ICO: Councils need to sharpen up on data protection ahead of GDPR

Nottinghamshire’s ‘Home Care Allocation System’, an online portal through which social care providers could confirm that they were able to support particular service users, was launched in July 2011.

Providers were sent a link to the HCAS via e-mail, allowing them to view information including people’s gender, address, post code and personal care needs. 

However, accessing the system did not require the use of a username or password and the information was also reachable through search engines.

According to the ICO, the data of some 3,000 people was posted to the system in the five years it was online.

In its judgment, the ICO said the council had contravened the Data Protection Act in a way “likely to cause substantial damage and substantial distress” and said it had then “failed to take reasonable steps to prevent the contravention”.

The ICO’s head of enforcement Steve Eckersley said Nottinghamshire County Council had been guilty of a “serious and prolonged breach of the law”.

“For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available,” he added.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

HCAS was taken offline in June 2016 after a member of the public raised their concerns with the council. The ICO said Nottinghamshire had reported the incident to the watchdog itself and had cooperated with its investigation, but it added that imposing a £70,000 fine would serve as “an opportunity to remind data controllers to ensure that appropriate and effective security measures are applied to personal data”.

Nottinghamshire County Council has until September 27 to pay the fine, with the ICO saying it would be reduced by 20% to £56,000 if the council pays it by September 26.

A survey carried out by the ICO earlier this year found that a quarter of councils do not have a data protection officer, while more than 15% don’t provide data protection training for employees.