Yesterday, the Information Commissioner’s Office (ICO) announced that it had issued its first monetary penalty against a charity.
Once again, the fine has arisen out of a breach of the Data Protection Act (DPA) in relation to the handling of sensitive personal information in the health and social care sector. The decision highlights a number of important information security issues, and also raises some interesting issues in relation to data sharing arrangements between data controllers.
An employee of the data controller, a charity that acts as an adoption agency, had obtained background reports from two local authorities in relation to four children who were in care. The employee had requested the reports so that she could inform prospective adopters of potential issues that may arise when caring for the children. The reports contained confidential and highly sensitive personal data relating to the children and their families.
The employee attempted to hand deliver the bundle of papers to one couple. Upon finding that they were not home, the employee left the package in a “concealed area at the side of the house” and phone the prospective adopters to tell them where to find the package. Unfortunately, by the time the couple arrived home, the package was gone.
The data controller’s information security measures
The data controller had in place a data security policy, but the policy contained no specific guidance on sending personal data to prospective adopters. The data controller had also failed to provide the employee with data protection training, despite a commitment to do so in the policy.
Although not expressly mentioned in the decision notice, it is also implied that the policy did not contain advice on when documents should be circulated in a redacted format, with personal data removed. In this case, it is arguable that there was no need for unredacted reports to be circulated – the reports could simply have referred to Child A, Child B etc.
As an organisation that regularly handled adoption cases, the data controller should have been aware of the confidential and sensitive nature of the data involved, and the damage and distress that could arise from its loss or misuse.
The ICO therefore found that the data controller had breached the seventh principle of the Data Protection Act by failing to take appropriate organisational measures against accidental loss of personal data.
The role of the local authorities?
It’s interesting to note that the reports in question were provided to the adoption agency in an unredacted format by the local authorities.
In terms of data protection law, it’s fairly clear that the adoption agency was acting as a data controller in its own right. In other words, it determined how personal data in its possession was processed, and was responsible, under data protection law for ensuring that the personal data was processed in accordance with the DPA. The adoption agency was not acting as a data processor on behalf of the local authorities. This means that the local authorities cannot be held liable under the DPA for the adoption agency’s subsequent breach.
However, the local authorities are responsible under the DPA for the initial disclosure of the reports in an unredacted format to the adoption agency.
The ICO makes no mention of this in its decision notice, and it’s not clear what (if any) controls or restrictions the local authorities imposed on the adoption agency as a condition of the disclosure (for example, a data sharing protocol).
It’s not clear whether the ICO is also taking enforcement action against the local authorities, but if I were one of the data subjects concerned, I might question whether the local authorities concerned had also breached their obligations under the DPA by providing the reports in an unredacted format at a stage when (arguably) there was no need to for the reports to be disclosed on that basis.
If the reports could have been disclosed to the prospective adopters in a redacted format (as the ICO implies in its decision), then this is arguably also the case as between the local authorities and the adoption agency. Had the local authorities not disclosed the reports in an unredacted format, then the data breach would not have occurred.
This does not excuse the adoption agency’s breach, but I do wonder whether there are appropriate steps that the local authorities, as original data controllers, should have taken to reduce the risk of the reports being accidentally disclosed.
On October 11, 2012