Wirral Borough Council breached the Data Protection Act by sending social services records that contained sensitive personal information to the wrong address on two separate occasions early last year.
The ICO said that the records included sensitive personal details relating to two families living in the Merseyside borough. In one case, details of a criminal offence committed by one of the family members were sent to the wrong address.
The ICO undertook an investigation into the council’s procedures and found that it had no mandatory data protection training in place for staff and also didn’t have satisfactory checks in place to make sure records were being sent to the correct address.
The council had also disclosed three other incidents to the ICO previously.
Stephen Eckersley, head of enforcement at the ICO, explained that human error was a factor in each of these cases, but suggested that the council should have done more to keep the information secure.
“Social workers routinely handle sensitive information and Wirral Borough Council failed to ensure their staff received adequate training on how to keep people’s information secure,” he said.
The council has now made data protection training mandatory for all staff and has also agreed to take further action to ensure that these mistakes do not occur again.
This includes putting in place sufficient processes to ensure that documents are sent to the correct address, steps to promote the use of locked printing functions available on printers, and general reviews into the data protection policies and procedures to ensure that practical guidance is provided to staff about how to comply with the Data Protection Act.
All staff, including social workers, have to complete the mandatory data protection training by no later than 30 June 2014.