Southwark Council breached the Data Protection Act by misplacing a computer and some papers containing 7,200 peoples‚Äô personal information which were discovered in a skip earlier this year, the Information Commissioner‚Äôs Office (ICO) said on November 21….
The computer and papers were mistakenly left at one of the council’s buildings at the Spa Road Complex in Southwark when it was vacated in December 2009. They were then discovered in June 2011 and disposed of by the building’s new tenant. The information stored on the computer and featured in the papers included details of peoples’ names and addresses, along with other information relating to their ethnic background, medical history and any past criminal convictions.
The breach was reported to the ICO in June 2011 shortly after the information was discovered in the skip. The ICO’s enquiries found that, while the council did have information handling and decommissioning policies in place, the policies were not followed when the offices were vacated. The council also failed to make sure the information stored on the computer was encrypted.
The authority has now agreed to take action to keep the personal information it handles secure. This includes introducing new processes governing the transfer and disposal of personal information and making sure that all portable devices used to store sensitive information are fully protected. The council has also agreed to an ICO audit in the new year to help them improve their compliance with the Data Protection Act.
Sally Anne Poole, Acting Head of Enforcement said: “The fact that thousands of residents’ personal details went missing for over two years clearly shows that Southwark Council’s policies for handling personal information are below standard. As this information was lost before the ICO received the power to issue financial penalties we are unable to consider taking more formal action in this case. Southwark Council has committed to putting changes in place and we look forward to completing an audit next year to help them to identify further improvements.”
Separately an undertaking has been signed by Central Essex Community Services after the loss of a birth book containing information about the general health of 249 mothers and their babies. The book – which should have been stored in a locked filing cabinet – was stored on top of the cabinet in a locked room due to no secure storage space being available. The book has never been recovered.
The ICO has ordered the healthcare provider to take action to keep the personal information it uses secure. Staff will be trained on how to follow the organisation’s data protection guidance and compliance with their existing policies will be routinely monitored to make sure they are being followed.
