Data Breach Leads To £120,000 Fine For Stoke-on-Trent City Council

The Information Commissioner's Office (ICO), the UK body tasked with data protection, has levied a £120,000 fine on Stoke-on-Trent City Council after the authority was found guilty of a serious data breach. The ICO used the announcement to remind organisations the importance of encrypting confidential personal information.

According to the ICO, Stoke-on-Trent City Council has grievously breached the Data Protection Act, repeating a mistake for which it was chastised early in 2010. The previous incident involved the loss of sensitive information pertaining to a childcare case. At that time, the city council was found to have stored the data on an unencrypted memory stick. It agreed to take steps that would improve data security, among those being the introduction of encryption for portable storage devices.

The new transgression shows that the authority has yet to make good on its promise. The latest incident took place in December 2011 and involved dispatching 11 e-mails to the wrong recipient. The messages were sent by a solicitor working for the authority and the lack of encryption put extremely sensitive information into the wrong hands. The data had to do with a child protection case and the e-mails also contained information regarding the health of two adults and two other children, the ICO said. The e-mail address was found to be valid but the recipient did not respond to the request to delete the messages.

The ICO noted that Stoke-on-Trent City Council would have avoided this serious breach simply by encrypting the data. The substantial monetary penalty is its punishment for failing to implement a security measure that is easy to adopt and widely used, as well as negligence in tackling a problem already brought to light, the regulator added.