The Information Commissioner’s Office (ICO) has fined Plymouth City Council £60,000 for a "serious breach" of the Data Protection Act, in which the details of a child neglect case were sent to the wrong recipient last year.
The ICO’s report concerned two social workers at the council who worked in the same building as the Children’s Services department and each printed a similar document at the same time.
One of the employees picked up both documents, assuming they were the same print-out. He passed both documents to a mother he was working with.
The photocopied report contained confidential and "highly sensitive personal data" relating to two parents and their four children, including allegations of child neglect resulting in ongoing care proceedings.
The mother contacted the family involved in the care proceedings by sending a private message on a social networking site to tell them she had received the confidential information. She also contacted Plymouth County Council, who reported the incident to the ICO.
The ICO’s investigation found that the council had no secure system in place for printing reports containing sensitive personal data, and had failed to take reasonable steps to ensure reports were checked before being sent out.
"It would be too easy to consider this a simple human error," said Steven Eckersley, head of enforcement at the ICO. "The reality is that this incident happened because not enough care was being taken within the organisation when handling vulnerable people’s sensitive information.
"The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that."