Updated Norfolk County Council left files containing sensitive information about children in a cabinet that was dispatched to a second-hand shop.
As a result of the gaffe, the council, tucked away on the east coast of England, was this month fined £60,000 [PDF] by the UK Information Commissioner's Office (ICO)
The cockup occurred when the children's social work team at the council had a third party collect some unneeded furniture from an office in Norfolk as part of a relocation. These went to a second-hand shop, where a member of the public purchased the cabinet and found sensitive information relating to seven children.
Steve Eckersley, ICO Head of Enforcement, said: “The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal.
“Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
Simon George, Executive Director for Finance and Commercial Services, said: “We want to reassure residents that we have robust data protection procedures and have tightened practice in the light of the case published today. As a council we take data protection very seriously and we are very sorry that our practice fell short on this occasion. We accept the ruling and the fine. There is no evidence that this information has been misused in any way and we are grateful to the member of public that quickly brought this to our attention. We voluntarily reported ourselves to the Information Commissioner and we undertook a careful review to ensure that we could learn from what happened.
“In the three years since this occurred, we have taken strong and effective action to ensure it is not repeated. This has included introducing robust procedures for office moves and training to ensure that our staff are aware of these procedures. Staff also receive mandatory rolling training to ensure they understand their overall data protection responsibilities. A recent voluntary ICO audit gave us the second highest rating for records management and training and awareness.
“We handle a huge amount of personal data every day and incidents such as this are rare but we will continue to monitor and review practice to ensure that the personal data we hold is kept safe.” ®