Express & Star

Careless councils' data leak shame - Sandwell Council has second worst record in country

Sensitive personal information has been stolen or leaked in more than 300 data breaches by council's in the Black Country and South Staffordshire over three years, new figures have revealed.

Published

Sandwell Council has the second worst record in the country when it comes to confidential data breaches, with 187 instances recorded between April 2011 and April 2014.

They included a worker who was sacked for accessing 'personal information for personal interest'.

Wolverhampton Council also featured in the top 10, with 100 breaches, including one incident which resulted in a worker getting sacked.

The breaches include a worker leaving a list of vulnerable people on work placements in a lobby, while a list containing the home addresses and telephone numbers of staff was accidentally sent to other workers by email.

In total there were 327 breaches across authorities in the Black Country and South Staffordshire, but only 16 resulted in any form of disciplinary action.

In the UK there were 4,236 data breaches over the period. Privacy campaigners say the figures show that councils are failing to protect the public's personal information.

Big Brother Watch director Emma Carr said: "Despite local councils being trusted with increasing amounts of our personal data, this report highlights that they are simply not able to say it is safe with them.

"With only a tiny fraction of staff being disciplined or dismissed, this raises the question of how seriously local councils take protecting the privacy of the public."

Bosses at Sandwell Council say the high number of breaches recorded by the authority is down to a 'robust approach' in tackling the issue.

"We believe we report data breaches that others don't," said chief executive Jan Britton, adding that the authority had brought in a 'successful internal campaign to highlight what constitutes data incidents'.

"While we may appear second in this list, this may well be because we take the issue so seriously and because staff tell us about incidents.

"The vast majority of all reported incidents invariably turn out to be either internal mis-directed emails or mis-addressed letters."

Wolverhampton's cabinet member for governance Councillor Paul Sweet, said the authority takes the protection of personal data 'very seriously'.

"The figures need to be viewed in context," he added. "The vast majority of the incidents – 96 per cent – are low in severity.

"Such incidents don't involve sensitive data – a common example is an internal email that gets sent to the wrong colleague that might contain a name or address of a member of the public.

"In a case like this, the email was sent by mistake, but the information never went outside of the council and all of our employees are bound by confidentiality not to disclose personal data.

"All of our employees have completed mandatory training in protecting people's information in line with Information Commissioner requirements.

"We encourage a culture where all actual and suspected data breaches – ranging from low level to the more serious – are formally reported and investigated.

"The most serious data breaches have to be reported to the Information Commissioner and we have only ever had a very small number of these."

There were 34 instances in Walsall, three of which led to members of staff getting fired, while there were 16 cases where personal data was disclosed by mistake.

This included the outcome of a disciplinary hearing, court papers and a GP letter containing medical details - all of which were sent to the wrong addresses. In another incident a bank statement was left on a photocopier.

Councillor Mohammad Arif, Walsall Council's portfolio holder for shared services and procurement said: "Walsall Council takes the responsibility of handling confidential data extremely seriously.

"Since January 2013, more than 4,600 staff and any contractors who are involved in the processing of information have undertaken rigorous training so that they fully understand the principles of data protection.

"It is now compulsory for new starters to complete this training.

"If and when human error is the source for a data breach, staff understand their role and responsibility to bring this matter to the attention of their line manager.

"Reviews are immediately undertaken to ensure our processes are tightened and in more serious cases, disciplinary action may be warranted."

The Information Commissioner's Office can fine authorities £500,000 for each serious breach - but no council has been fined.

Dudley Council saw six cases over the period, three of which resulted in disciplinary measures. There were no data breaches at Staffordshire County Council.

South Staffordshire Council recorded one breach, which involved a spreadsheet going up online that contained the personal data of 44 former employees.

Sorry, we are not accepting comments on this article.