ICO exposes three UK councils for awful child data practices

The Information Commissioner’s Office (ICO) is taking action against three UK councils after it revealed that the private data of over 9,000 children had been stolen due to employee negligence.

The London Borough of Barnet, West Sussex County Council, and Buckinghamshire County Council were found to have breached the Data Protection Act by putting the sensitive personal data of thousands of UK children in danger.

The London Borough of Barnet reported a theft at the home of one of its employees, with thieves making off with a USB stick and CDs containing the private data of over 9,000 children and members of their families. The employee in question had downloaded the data to these devices without authorisation and failed to encrypt any of it, meaning the thieves can access it instantly by simplying plugging the devices into a computer.

A laptop was stolen from the home of a West Sussex County Council employee, which contained sensitive information relating to children and was also unencrypted. In fact, the ICO found out that 2,300 unencrypted laptops are still being used by this council alone, but pressure from the ICO is helping it to see the error of its ways and finally encrypt private data.

Buckinghamshire County Council also reported a theft, this time of documents from Heathrow Airport. The documents, which contained the personal data of two children, were in a plastic wallet of a social worker who was travelling to another UK city to address the social care case for those children. The ICO found that security had not been factored into the transport of these documents while travelling, ultimately leading to the theft.

Poor training and lack of overall security protocol are being blamed for these incidents. In an audit of the London Borought of Barnet before the robbery took place the ICO reported failures in staff training, problems which were not addressed. The ICO stated that it was “particularly concerned” about this incident, since warnings had previously been given and ignored.

Now all three Councils have signed formal agreements to properly train and educate their staff on proper data protection and security, including ensuring that all devices containing sensitive data are encrypted.

“These three councils have shown a poor regard for the importance of protecting children’s personal information,” said Sally-anne Poole, Enforcement Group Manager at the ICO. “It is essential that councils ensure the correct preventative safeguards are in place when storing and transferring personal information, especially when it concerns sensitive information relating to children. A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands.”

TechEye spoke to Alex Dean, Director of the privacy group Big Brother Watch, who told us: “This is extremely worrying. Children are entitled to privacy just like adults: these authorities have shown scant regard for the safety of private data.

“Whilst I applaud the ICO for naming and shaming the councils; to get real change in the culture of contempt for privacy, the Commissioner should be able to recommend dismissal of individual personnel.”

He said that this is only the data loss we know about and people with children must be wondering what other data has been lost by these councils.

We also spoke to Cathy Ashley, Chief Executive of the Family Rights Group (FRG), who told us that the FRG welcomes “the strong action taken by the Information Commissioner’s Office”.

“Children and their families have a right to expect any personal details held by any public agency will be kept safely and securely,” she told us. “In the cases highlighted by the Information Commissioner’s Office, the three authorities have clearly failed to display sufficient respect for children’s right to privacy and in doing so potentially sensitive data could have got into the wrong hands. Whilst it’s clear that in some cases failings were in part due to careless actions by individuals, nevertheless it is imperative that all public agencies should have in place the procedures and training to ensure that all relevant staff are fully aware of their responsibilities in holding personal data.”

She said that the FRG was concerned that the introduction of Contact Point, an online directory of children and professionals working with them, would lead to more incidents of children’s data being put at risk and therefore welcomes the Government’s decision to scrap it.