We have issued a reprimand to Birmingham Children's Trust Community Interest Company after the personal information of a child was inappropriately disclosed to another family.
The child protection and review department at Birmingham Children's Trust Community Interest Company, which is owned by Birmingham City Council, was working with two neighbouring families when the data breach occurred.
A child protection plan was disclosed to one family that contained both personal information and criminal allegations relating to a child from the neighbouring family. This information was included in error after being copied across from meeting minutes.
Our investigation found that Birmingham Children's Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information.
Sally-Anne Poole, Head of Investigations at the ICO, said:
“Children’s personal information requires extra protection and must be handled with great care. This disclosure of personal information by social workers at Birmingham Children's Trust Community Interest Company was a violation of privacy that would have caused distress to both the child and their family.
“We expect all organisations processing personal information to ensure they have robust policies and procedures in place to protect it. We will take action when personal information, especially belonging to children and young people, is compromised.”
We recommended that Birmingham Children's Trust Community Interest Company should take further steps to ensure its compliance with data protection law, including:
- Implement a more granular approach to data protection and create a Standard Operating Procedure with regards to producing social care documents.
- Include a process for any social care product to be independently checked by someone other than the author prior to disclosure.
- Create and implement a corporate redaction policy, which ensures staff have the knowledge and tools, to redact the product if necessary.
The reprimand can be read in full here.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to Make a complaint.