A London council has been warned to toughen up the way it protects personal information after a social worker left court documents on the roof of her car and drove off.
The London Borough of Ealing has signed up to a series of measures drawn up with the Information Commissioner’s Office to improve its data protection practices following the incident.
Personal data, some of it sensitive, relating to 27 people and including 14 children was lost when the social worker accidentally left them on top of her car in February this year. The documents have never been recovered.
Sally-Anne Poole, enforcement manager at the ICO, said:
“This council failed to follow our previous advice that it needed to improve training to make sure staff know how to look after personal information.
“Many of us have no choice but to take work out of the office. But when that work includes personal data, there is an obligation to ensure it’s kept safe. People have a right to expect that will happen.
“Losing personal data – especially sensitive data – can cause damage and distress to the people involved.”
More than a quarter (27%) of social workers in the council’s children’s services department were temporary. One of the failings the ICO’s investigation found was that the council had no record of how many of these temporary staff had completed refresher data protection training.
Ms Poole said:
“It’s vital that if councils are using temporary staff they make sure they, as well as permanent staff, are up to speed with how to look after people’s personal information.”
The undertaking signed by Ealing Council outlines a series of commitments including improving staff training in data protection and reviewing policies around how documents are protected when taken out of the office.
The ICO will be hosting a webinar on December 14 looking at some of the issues caused by working away from the office. You can sign up to this webinar on the GoToWebinar website.
Notes to Editors
- The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.
- Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive;
- accurate and up to date;
- not kept for longer than is necessary;
- processed in line with your rights;
- secure; and
- not transferred to other countries without adequate protection.
- Undertakings are one of the forms of regulatory action set out in the ICO’s Regulatory Action Policy.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns