“Unacceptable & inexcusable”: council hit with £70k fine for leaving vulnerable people's info wide open

Written by PublicTechnology staff on 1 September 2017 in News

Watchdog finds that Nottinghamshire County Council failed to keep personal data - including care needs and postcodes - safe

The UK’s information watchdog has handed down a £70,000 fine to Nottinghamshire County Council after it left the personal information of vulnerable social care users accessible to anyone for almost five years.

Under the Data Protection Act, organisations are required to take appropriate steps to keep personal data safe.

But the Information Commissioner’s Office - which upholds information rights in the UK - found that an online portal created by the council left highly personal information about service users fully exposed.

Related articles

Nottinghamshire’s ‘Home Care Allocation System’, an online portal through which social care providers could confirm that they were able to support particular service users, was launched in July 2011.

Providers were sent a link to the HCAS via e-mail, allowing them to view information including people’s gender, address, post code and personal care needs. 

However, accessing the system did not require the use of a username or password and the information was also reachable through search engines.

According to the ICO, the data of some 3,000 people was posted to the system in the five years it was online.

In its judgment, the ICO said the council had contravened the Data Protection Act in a way “likely to cause substantial damage and substantial distress” and said it had then “failed to take reasonable steps to prevent the contravention”.

The ICO’s head of enforcement Steve Eckersley said Nottinghamshire County Council had been guilty of a “serious and prolonged breach of the law”.

“For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available,” he added.

“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

HCAS was taken offline in June 2016 after a member of the public raised their concerns with the council. The ICO said Nottinghamshire had reported the incident to the watchdog itself and had cooperated with its investigation, but it added that imposing a £70,000 fine would serve as “an opportunity to remind data controllers to ensure that appropriate and effective security measures are applied to personal data”.

Nottinghamshire County Council has until September 27 to pay the fine, with the ICO saying it would be reduced by 20% to £56,000 if the council pays it by September 26.

A survey carried out by the ICO earlier this year found that a quarter of councils do not have a data protection officer, while more than 15% don’t provide data protection training for employees.


Share this page




Please login to post a comment or register for a free account.

Related Articles

MHCLG digital chief: ‘I want us to be proud plumbers’
24 May 2018

Paul Maltby claims councils must first renew ageing infrastructure before realising the benefits of machine learning and automation 

Windrush scandal fallout sees Home Office suspend data-sharing activities
13 July 2018

Department to take three-month break from ‘proactive data sharing’ with other government agencies, as well as restricting data shared with financial institutions

Why GDS is still losing the ‘parlour game’ of government
12 July 2018

Martha Lane Fox and Mike Bracken, two of the key figures in the creation of GDS, believe the organisation remains stymied by major barriers in both the civil service and parliament...

ICO flags urgent need for laws on political parties’ use of data and hits Facebook with £500k fine
11 July 2018

Commissioner’s progress report includes revelations about UKIP’s non-compliance and a six-figure penalty for a pregnancy website that supplied data for Labour Party marketing

Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security