The Information Commissioner’s Office (ICO) has fined Nottinghamshire County Council £70,000 for leaving elderly and disabled people’s personal data publicly available online for five years.
According to the ICO, the information included the gender, addresses and postcodes of 3,000 people. It also listed many people’s personal care needs and requirements, such as the number of home visits they receive per day and whether they had been or are still in hospital.
A “serious and prolonged breach”
The information had been available online since July 2011, when the council launched its Home Care Allocation System, an online portal that allows social care providers to confirm that they were able to support a particular person.
There were no login credentials needed to access the portal, meaning anybody could access the data. This fact only came to light when a member of the public accessed the portal via a search engine and reported it.
ICO Head of Enforcement Steve Eckersley said: “This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.
“Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”
Speaking to the Nottingham Post, Caroline Baria, the council’s adult social care service director, said: “Nottinghamshire County Council takes its responsibility for data security extremely seriously so we are very sorry that this error occurred and wholeheartedly accept the Information Commissioner’s findings.
“As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the commissioner.”
She added that the council conducted a full review of its procedures and is now using a different system for home care providers.
Don’t make the same mistake
Hopefully you don’t need to be told not to leave personal data publicly available on the Internet, but your staff may well be committing more information security mistakes than you’d care to admit.
Our Information Security & ISO27001 Staff Awareness E-Learning Course helps employees gain a better understanding of the risks they face and their requirements to comply with ISO 27001.
ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). It specifies that organisations must address security issues at the employee level.
This course is designed for all employees – anyone who processes information, uses information technology in their daily jobs or uses the Internet to conduct business – who need to be aware of their organisation’s ISO 27001 commitments.