Nottinghamshire County Council have been fined £70,000 after posting the gender, addresses, postcodes and care requirements of 3,000 elderly and disabled people in an online directory over a 5 year period. The directory did not have basic security, or access restrictions such as a username or password.
The breach was discovered when a member of the public inadvertently accessed the data browsing the internet. They subsequently alerted the authorities, concerned that the data could be used by criminals to target vulnerable people or their homes.
The Information Commissioner (ICO) described it as “a serious and prolonged breach” of the Data Protection Act that “was totally unacceptable and inexcusable.” Although names were not included, the ICO concluded a determined person would be able to identify service users. This constituted a failure to take appropriate technical measures against the unauthorised and unlawful processing of personal data. The council offered no mitigation to the ICO and was issued with the £70,000 fine. Nottinghamshire County Council have since apologised and “wholeheartedly accepted” the ICO’s findings.
Under the upcoming EU General Data Protection Regulation (and the Data Protection Bill, which is currently going through Parliament), potential sanctions for such breaches become even more severe. Contact Clarkslegal for more information on how to prepare.