Norfolk County Council fined £60000
After an office refurbishment Norfolk County Council donated their old furniture to a second hand shop, but regrettably one of the office cabinets still contained highly sensitive files. The cabinet had been removed from the children’s services department and they contained sensitive information relating to 7 children.
The Cabinet was donated and sold in April 2014, the new owner discovered the files and informed the county council as soon as possible. As a consequence of this error the ICO have fined the council £60000.
Steve Eckersley, ICO Head of Enforcement, said:
“The council had disposed of some furniture as part of an office move but had failed to ensure that the cabinets were empty before disposal.
“Councils have a duty to look after any personal information they hold, all the more so when highly sensitive information is concerned – in particular about adults and children in vulnerable circumstances.
“For no good reason Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information. It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal information were thoroughly checked before disposal.”
Simon George, Executive Director for Finance and Commercial Services at the council, said:
“We want to reassure residents that we have robust data protection procedures and have tightened practice in the light of the case published today. As a council we take data protection very seriously and we are very sorry that our practice fell short on this occasion.
We accept the ruling and the fine. There is no evidence that this information has been misused in any way and we are grateful to the member of public that quickly brought this to our attention. We voluntarily reported ourselves to the Information Commissioner and we undertook a careful review to ensure that we could learn from what happened.
In the three years since this occurred, we have taken strong and effective action to ensure it is not repeated. This has included introducing robust procedures for office moves and training to ensure that our staff are aware of these procedures. Staff also receive mandatory rolling training to ensure they understand their overall data protection responsibilities. A recent voluntary ICO audit gave use the second highest rating for records management and training and awareness.
We handle a huge amount of personal data every day and incidents such as this are rare but we will continue to monitor and review practice to ensure that the personal data we hold is kept safe.”