Leicester City Counci have launched an investigation after an email with highly sensitive, confidential data attached was sent to 27 taxi companies. The attachment is said to have included information on a number of vulnerable people, including children.
The email was sent on Tuesday, 9 January. Twenty-four hours later a further email was sent asking for the original email to be deleted without being read or opened, and to also delete it from the deleted items folder. The recall email was said to have stated that disclosing any of the information contained in the original email would be a breach of the Data Protection Act.
Councillor Ross Grant said the news made him “feel sick in my stomach”.
We are talking children the court has taken action to protect from someone who would put them at risk and the council is potentially the organisation leaking their address. There is no guarantee this has not been copied and spread, we cannot put the genie back in the bottle. I am not happy at all, I have had no answers to my questions from the council and if I don’t get some I will be taking it to a higher level.
A council spokesperson said:
Information was mistakenly shared by a staff member with 27 taxi firms we hold contracts with. Information would normally be shared with taxi companies on a much more limited basis. We take data protection and confidentiality very seriously and took immediate action, contacting all of the firms and asking them to delete the information. We reminded them that under the terms of their contract, they must comply with laws on data protection. We are investigating and will report this incident to the Information Commissioner’s Office.
The breach was doubtless caused by human error and is a reminder that an organisation’s employees can pose a significant threat to data security. It reiterates the importance of staff awareness training to ensure that all employees who have access to sensitive data have the correct knowledge and a good understanding of information security and best practice.
It is only a matter of months before the General Data Protection Regulation (GDPR) is enforced. A key requirement will be that organisations must adopt “appropriate technical and organisational measures” to protect personal data.
Staff awareness training
Rolling out a comprehensive staff awareness programme will give employees a clear understanding of their compliance requirements, your organisation’s security policies and procedures, and information security best practice to reduce preventable mistakes. Training needs to be ongoing and continually reinforced across the organisation to reiterate the importance of compliance and security.
Alternatively, consider our Security Awareness Programme, which creates a total culture change and tackles employee behaviour to generate tangible and lasting organisation-wide security awareness. Find out more >>