Three local authorities are facing action from the Information Commissioner after the details of thousands of children were put at risk by breaches of the Data Protection Act. The London Borough of Barnet and West Sussex and Buckinghamshire County councils have been criticised for their ‘systemic lack of staff training on how to handle personal information’.
Sally-anne Poole, Enforcement Group Manager at the ICO said the councils had shown poor regard for the importance of protecting children’s personal information. “It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children,” she said.
In Barnet an unencrypted, non-password protected memory stick and CDs with information of over 9,000 children and members of their families were stolen from the home of an employee. The data had been downloaded onto the unencrypted devices without authorisation. No training was provided and no security was in place to prevent such downloads. An earlier audit by the ICO in the Borough of Barnet had highlighted the lack of staff training.
In West Sussex a laptop had been stolen, again from the home of an employee. It had details of an unknown number of children and families involved in childcare proceedings. In the third case, Buckinghamshire County Council reported the loss, at Heathrow Airport, of documents containing sensitive personal data relating to two children. They were in a plastic wallet belonging to a council social work employee travelling within the UK in connection with the children’s social care case.
Sally-anne Poole added: “I am particularly concerned where a public authority has previously been warned about the lack of staff training in data security. Breaches involving such large numbers of children and family members could easily have been avoided.”