ICO (UK) - Nottinghamshire County Council
ICO - Nottinghamshire County Council | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 32(1) GDPR Article 58(2)(b) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 11.08.2023 |
Published: | 27.09.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Nottinghamshire County Council |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | Gauravpathak |
The Information Commissioner’s Office (ICO) reprimanded Nottinghamshire County Council for infringing Article 32(1) (UK) GDPR. The failure to implement appropriate technical and organisational measures resulted in a social worker sharing unredacted copies of their assessment report to a mother and her two ex-partners, each the father of one of the two children mentioned in the report.
English Summary
Facts
Nottinghamshire County Council is the data controller. It has a service called Council Assessment Service (CAS), which prepares Child and Family Assessments (CFA). CFA is prepared by social workers and looks into the well-being of children where there are concerns regarding the capacity of their parents or caregivers to take proper care.
The data subjects are the users of CAS and the children whose well-being is assessed.
A social worker who had prepared the CFA sent out an unredacted copy of the assessment report of two children to their mother and her two ex-partners, each father of one of the children. The assessment report contained sensitive personal data, which should have been redacted from the copies sent to the ex-partners of the mother. Before sending, the assessment report was required to be signed off by the manager, who also did not look into the same, resulting in the distribution of unredacted copies.
Before this incident, 16 incidents of unredacted information being shared had occurred at Nottinghamshire County Council.
Holding
The ICO held that the manager's oversight procedure was not sufficiently robust, as evident from the failure in this case. Also, Nottinghamshire County Council had not provided detailed training to its staff on redaction. The ICO held the breach to be serious as it could have resulted in actual physical harm to the mother and the children, given that it pertained to domestic violence carried out on the mother and children.
The ICO took note of the remedial steps taken by Nottinghamshire County Council, including comprehensive guidance in relation to the redaction of documents, and after taking into account all relevant materials and facts, reprimanded Nottinghamshire County Council under Article 58(2)(b) (UK) GDPR, for infringing Article 32(1) (UK) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Reprimand - final DATA PROTECTION ACT 2018 AND UK GENERAL DATA PROTECTION REGULATION REPRIMAND To: Nottinghamshire County Council Of: County Hall, Loughborough Road, West Bridgford, Nottingham, NG2 7QP Introduction The Information Commissioner (the Commissioner) issues a reprimand to Nottinghamshire County Council in accordance with Article 58(2)(b) of the UK General Data Protection Regulation in respect of certain infringements of the UK GDPR. Infringements of the UK GDPR The Commissioner has decided to issue a reprimand to Nottinghamshire County Council in respect of an infringement of the following Article of the UK GDPR • Article 32(1) of the UK GDPR which states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)” 1The reasons for the Commissioner’s findings are set out below. The Council Assessment Service (CAS) is a service within Nottinghamshire County Council. The CAS is responsible for, among other things, preparing Child and Family Assessments (CFA) which assess the needs of vulnerable children in situations where there are concerns about the capacity of his or her parents or care givers to meet those needs. CFAs are prepared by social workers. The data subjects are, therefore, users of social services and the children of those service users. Due to the nature of the assessments being carried out, the personal data processed is regularly of a highly sensitive nature, that will have an impact on the interests and freedoms of the data subject. In this case, a social care team in the CAS completed a CFA related to the wellbeing of two children in a household in Nottinghamshire. A social worker sent copies of the assessment report to the mother and her two ex-partners: each the father of one of the two children. The report contained sensitive personal data which should have been redacted from the copies sent to the partners. For the following reasons, the Commissioner takes the view that Nottinghamshire County Council had not implemented appropriate organisational measures to ensure the security of the personal data in this case. This is an infringement of Article 32(1). Infringement Details Lack of robust procedures Although the initial failure to redact sensitive information from the CFA was described as an oversight or human error, there was a procedure in place that required all CFAs to be signed off by a team manager prior to dissemination. In this case, regardless of the initial error on the part of the social worker, a report with a significant lack of redaction was signed off by a team manager and distributed to all the relevant parties. The procedure that was in place was not sufficiently robust as to stop this from happening. The investigation identified the root cause of this failure as a lack of training and clear policies regarding the redaction of sensitive documents, which would have made the procedure more robust. 2Lack of training and guidance on redaction Nottinghamshire County Council confirmed that detailed guidance on carrying out effective disclosure and redaction was not provided or made available to staff until April 2022, which was subsequent to the incident. Prior to this, the only reference to redaction in training materials was a short, generic and high level reference to redaction within a document that provided new starters with basic data protection training. Given the potential risk of damage and/or distress that would result from an accidental disclosure in this work, the Commissioner would expect extensive guidance and training to have already been in place, which covered the relevant processes that were central to the role of producing CFAs. Previous incidents Nottinghamshire County Council confirmed that, in the two years previous to the incident, there had been another 16 separate incidents where failure to adequately redact resulted in sensitive personal data being disclosed, with a number of these incidents resulting in safeguarding concerns. Severity of breach The breach in this instance was serious. It put the mother and the two children at risk of actual physical harm. The material that was disclosed to the third-party was in relation to previous domestic violence that the third- party had enacted on the mother and the two children. This disclosure created a volatile and dangerous situation between the parties. Mitigating Factors / Remedial steps taken by Nottinghamshire County Council The Commissioner has considered and welcomes the remedial steps taken by Nottinghamshire County Council in the light of this incident. In particular Nottinghamshire County Council has, in April 2022, put in place detailed and comprehensive guidance in relation to the redaction of documents (Disclosure and Redaction Guidance), and a copy of this procedure has been provided to the Commissioner. 3The Reprimand Taking into account all the circumstances of this case (including the remedial steps), the Commissioner has decided to issue a reprimand to Nottinghamshire County Council in relation to the infringements of Article 32(1) of the UK GDPR set out above. 11 August 2023 Mark Palmer – Investigation Officer 4