A data breach at Dumfries and Galloway Council was reported just hours after the council announced a new data protection policy.
The Scottish local council announced yesterday that it had approved a new data protection policy, having suffered two significant data breaches last year.
In one incident, salary information about 9,000 council employees was accidentally published online. In the other, contact details of child minders were sent to wrong recipient.
However, soon after the new data protection policy was announced, the BBC reported that the council had suffered a new breach last week. Confidential files were found by a tourist in a car park where they had been dropped by a social worker.
"A social worker dropped a file containing case information in the social work car park on Irish Street in Dumfries," director of social work John Alexander said today in a statement. "The file was next to the staff member’s car close to the social work building. The social worker found the file was missing within 5 minutes and recovered it from the police station within 20 minutes. I have already put arrangements in place to ensure this will not recur."
Council leader Brian Collins said the new incident underlined the need for tighter data protection policies. "This is exactly why our council agreed a robust data protection policy […], and prepared a data protection response plan back in 2011 which was agreed in February 2012," he said.
"Whilst such plans minimise the risk of a data breach, we can never eliminate human error entirely," Collins added. "We can always learn from such incidents and social work will be checking procedures to see what can be done to make further improvements and make personal data even more secure," Collins added.
"As far as this incident is concerned, it will be the subject of a report to the Information Commissioner who will determine what action, if any, is to be taken."
The council’s new data protection policy, available here, includes eight data protection principles which it must uphold. The principles assert that personal information:
1. Shall [sic] be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met.
2. Shall be obtained only for one or more specified and lawful purposes […]
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed
4. Shall be accurate and, where necessary, kept up to date
5. Shall not be kept longer than is necessary for that or those purposes
6. Shall be processed in accordance with the rights of data subjects under the [Data Protection] Act
7. Shall be kept secure, i.e. protected by an appropriate degree of security
8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection