Mark Whitehead 01 September 2017

County fined £70,000 for 'serious and prolonged' data breach

County fined £70,000 for 'serious and prolonged' data breach

Nottinghamshire County Council has apologised for leaving vulnerable people’s personal information exposed online after being fined £70,000 by data protection watchdogs.

It admitted that leaving the gender, addresses, postcodes and care requirements of elderly and disabled people in an online directory which had no basic security or access restrictions such as a username or password was a mistake.

A member of the public raised the alarm after realising they could access and view the data without logging in and worried it could be used by criminals to target vulnerable people.

Information Commissioner’s Office head of enforcement Steve Eckersley said it had been a 'serious and prolonged' breach of the Data Protection Act.

'For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

'Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable.'

Caroline Baria, the council's adult social care service director, said: 'Nottinghamshire County Council takes its responsibility for data security extremely seriously so we are very sorry that this error occurred and wholeheartedly accept the information commissioner’s findings.

'As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the commissioner.

'At the time the directory included partial addresses and a brief outline of the care needs of 81 people who have required home care services, but the information did not contain any names or house numbers.

'A full review of procedures has been carried out and we are now using a different system for home care providers outside of the internet.'

comments powered by Disqus
Sign Up