£140,000 fine after sending child data to wrong people

Share this article
Have your say

A SCOTTISH council has been fined £140,000 after repeatedly releasing sensitive information about vulnerable children and carers to the wrong people.

Midlothian Council was guilty of five data protection breaches in as many months last year.

It is the first local authority in Scotland to be fined by the Information Commissioner’s Office (ICO), which is calling for stronger auditing powers to detect other breaches.

Midlothian has apologised and said staff have been subject to disciplinary proceedings, but insisted no-one was put at risk.

In one instance, on 1 June, child protection minutes were sent to the former home of a mother’s partner, who had lived there in a previous relationship.

“The commissioner understands that the former partner may have further disseminated this information to individuals in the wider local community,” the ICO report said.

The first breach came to light in March, when it emerged the wrong child’s name had been written on an agreement, which was then sent to the wrong family in January.

In May, a “looked after” review and care plan were sent to the wrong GP, where the child was no longer registered.

In the same month, a “looked after care review” and an “accommodated review” were sent to four people who were not entitled to see them.

In the final incident, on 6 June, a letter about the status of a foster carer was mistakenly added to child protection conference papers and sent to seven professionals who were due to attend that meeting, but who had no right to information about the foster carer.

All the information was eventually recovered but the commissioner said that the breaches were avoidable.

Ken Macdonald, Assistant Commissioner for Scotland said: “Information about children’s care, as well as details about their health and wellbeing, is some of the most sensitive information a local authority holds.

“It is of vital importance that this information is protected and that robust policies are followed before it is disclosed.

“The serious upset that these breaches would have caused to the children’s families is obvious and it is extremely concerning that this happened five times in as many months. I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK.”

The ICO is asking the UK government for stronger powers to audit data protection compliance, without consent if necessary.

Midlothian Council said it referred itself to the commissioner and insisted its procedures were sound, despite the breaches.

Colin Anderson, chief social work officer, said: “While the council accepts there were mistakes, they were caused by human error. Clear procedures were in place but were not followed.”

He added: “To provide further reassurance, the council will appoint an independent expert to ensure it has done all it can to minimise the risk of recurrence.”