Many of us using email as a regular means of correspondence are aware of just how easy it is to send an email to the wrong person, particularly where we have a number of contacts with the same or similar names. Whether on a professional or personal level, such a mistake can cause confusion and be extremely embarrassing for the sender.

What most people do not realise is that, if the email contains personal data, one of the consequences of sending it to an un-intended recipient could be a hefty fine. A recent case involving Surrey County Council highlights the price that can be paid for such a data leak.    

The Information Commissioner’s Office (ICO) fined the Council £120,000 following three separate incidents of employees sending e-mails with files or attachments containing sensitive personal data to the wrong recipients. The Data Protection Act 1998 (Act) defines sensitive personal data as information about an individual’s racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity and court proceedings. The Act requires organisations to put in place technical and organisational measures to prevent unauthorised or unlawful processing of any personal data (not just sensitive personal data).
The data mistakenly leaked by the Council’s employees included information relating to the health and welfare of vulnerable adults and children. In one incident, the Council’s Adult Social Care Teams unit sent an email with a file containing details of the physical and mental health of 241 vulnerable adults to a group email address that included 361 taxi, coach and mini-bus companies. The ICO found that the data had not been encrypted and could have been viewed by a significant number of unauthorised individuals.

The level of the fine imposed by the ICO undoubtedly reflects the highly sensitive nature of the information that was exposed and the Council’s failure to put in place appropriate measures against the unauthorised processing of the data even though it was aware that two major leaks had already taken place. However, in the words of the ICO, “this case should act as a warning to others that lax data protection practices will not be tolerated”. If you are storing and processing personal data it is essential that you put in place suitable technical and organisational measures to prevent the information getting into the wrong hands. If a leak does occur, then you must quickly identify the exposure risks and ensure that it does not happen again.

For information or advice on the Data Protection Act 1998 contact Tracey Dickens at tracey.dickens@birkettlong.co.uk.