The Information Commissioners Office has fined a local authoritiy in Scotland a record £140,000 for mishandling sensitive information related to children and their carers.
Employees at Midlothian Council accidentally posted the details to the wrong recipients five times in five months, starting in January 2011. Two incidents resulted from inaccurate address data; one from faulty data entry and another one involved accidentally sending out a document that had been picked up from a shared printer.
Ken Macdonald, Scotland's assistant information commissioner said it was a concern that such similar breaches happened five times in as many months. "I hope this penalty acts as a reminder to all organisations across Scotland and the rest of the UK to ensure that the personal information they handle is kept secure," Macdonald said.
The breaches are similar to those that lead to the ICO's previous record penalty, issued to Powys County Council in December last year. The council was fined £130,000 for accidentally posting details of child abuse that had been picked up from a shared printer.
Meanwhile, an NHS Trust is currently facing a fine of £350,000 after stolen hard drives containing unencrypted patient data were sold on eBay.
The Information Commissioner stands to achieve more punitive powers under the proposed reforms to the EU's data protection laws, announced last week. The draft reforms propose that organisations must disclose data breaches within 24 hours, and that data protection regulators should be able to issue fines of up to 2% of an organisation's annual turnover. The new legislation would also give the ICO more power to investigate organisations suspected of mishandling data.