ICO (UK) - Nottinghamshire County Council

From GDPRhub
ICO - Nottinghamshire County Council
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 32(1) GDPR
Article 58(2)(b) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 11.08.2023
Published: 27.09.2023
Fine: n/a
Parties: n/a
National Case Number/Name: Nottinghamshire County Council
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Gauravpathak

The Information Commissioner’s Office (ICO) reprimanded Nottinghamshire County Council for infringing Article 32(1) (UK) GDPR. The failure to implement appropriate technical and organisational measures resulted in a social worker sharing unredacted copies of their assessment report to a mother and her two ex-partners, each the father of one of the two children mentioned in the report.

English Summary

Facts

Nottinghamshire County Council is the data controller. It has a service called Council Assessment Service (CAS), which prepares Child and Family Assessments (CFA). CFA is prepared by social workers and looks into the well-being of children where there are concerns regarding the capacity of their parents or caregivers to take proper care.

The data subjects are the users of CAS and the children whose well-being is assessed.

A social worker who had prepared the CFA sent out an unredacted copy of the assessment report of two children to their mother and her two ex-partners, each father of one of the children. The assessment report contained sensitive personal data, which should have been redacted from the copies sent to the ex-partners of the mother. Before sending, the assessment report was required to be signed off by the manager, who also did not look into the same, resulting in the distribution of unredacted copies.

Before this incident, 16 incidents of unredacted information being shared had occurred at Nottinghamshire County Council.

Holding

The ICO held that the manager's oversight procedure was not sufficiently robust, as evident from the failure in this case. Also, Nottinghamshire County Council had not provided detailed training to its staff on redaction. The ICO held the breach to be serious as it could have resulted in actual physical harm to the mother and the children, given that it pertained to domestic violence carried out on the mother and children.

The ICO took note of the remedial steps taken by Nottinghamshire County Council, including comprehensive guidance in relation to the redaction of documents, and after taking into account all relevant materials and facts, reprimanded Nottinghamshire County Council under Article 58(2)(b) (UK) GDPR, for infringing Article 32(1) (UK) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details. 

Reprimand - final

        DATA PROTECTION ACT 2018 AND UK GENERAL DATA

                       PROTECTION REGULATION

                               REPRIMAND

To: Nottinghamshire County Council


Of: County Hall, Loughborough Road, West Bridgford, Nottingham,
NG2 7QP


Introduction

The Information Commissioner (the Commissioner) issues a reprimand to
Nottinghamshire County Council in accordance with Article 58(2)(b) of the
UK General Data Protection Regulation in respect of certain infringements

of the UK GDPR.

Infringements of the UK GDPR

The Commissioner has decided to issue a reprimand to Nottinghamshire

County Council in respect of an infringement of the following Article of the
UK GDPR

   •  Article 32(1) of the UK GDPR which states:


      “Taking into account the state of the art, the costs of implementation
      and the nature, scope, context and purposes of processing as well as
      the risk of varying likelihood and severity for the rights and freedoms
      of natural persons, the controller and the processor shall implement

      appropriate technical and organisational measures to ensure a level
      of security appropriate to the risk, including inter alia as appropriate:

      a) the pseudonymisation and encryption of personal data;


      b) the ability to ensure the ongoing confidentiality, integrity,
      availability and resilience of processing systems and services;

      c) the ability to restore the availability and access to personal data in
      a timely manner in the event of a physical or technical incident;


      d) a process for regularly testing, assessing and evaluating the
      effectiveness of technical and organisational measures for ensuring
      the security of the processing. that personal data shall be “processed

      lawfully, fairly and in a transparent manner in relation to the data
      subject (lawfulness, fairness and transparency)”


                                     1The reasons for the Commissioner’s findings are set out below.

The Council Assessment Service (CAS) is a service within Nottinghamshire

County Council. The CAS is responsible for, among other things, preparing
Child and Family Assessments (CFA) which assess the needs of vulnerable
children in situations where there are concerns about the capacity of his
or her parents or care givers to meet those needs. CFAs are prepared by

social workers.

The data subjects are, therefore, users of social services and the children
of those service users. Due to the nature of the assessments being carried
out, the personal data processed is regularly of a highly sensitive nature,

that will have an impact on the interests and freedoms of the data
subject.

In this case, a social care team in the CAS completed a CFA related to the
wellbeing of two children in a household in Nottinghamshire.


A social worker sent copies of the assessment report to the mother and her
two ex-partners: each the father of one of the two children. The report
contained sensitive personal data which should have been redacted from

the copies sent to the partners.

For the following reasons, the Commissioner takes the view that
Nottinghamshire    County   Council   had   not  implemented     appropriate
organisational measures to ensure the security of the personal data in this

case. This is an infringement of Article 32(1).


Infringement Details


Lack of robust procedures

Although the initial failure to redact sensitive information from the CFA was
described as an oversight or human error, there was a procedure in place

that required all CFAs to be signed off by a team manager prior to
dissemination.

In this case, regardless of the initial error on the part of the social worker,
a report with a significant lack of redaction was signed off by a team

manager and distributed to all the relevant parties.

The procedure that was in place was not sufficiently robust as to stop this
from happening. The investigation identified the root cause of this failure
as a lack of training and clear policies regarding the redaction of sensitive

documents, which would have made the procedure more robust.


                                      2Lack of training and guidance on redaction


Nottinghamshire County Council confirmed that detailed guidance on
carrying out effective disclosure and redaction was not provided or made
available to staff until April 2022, which was subsequent to the incident.

Prior to this, the only reference to redaction in training materials was a

short, generic and high level reference to redaction within a document that
provided new starters with basic data protection training.

Given the potential risk of damage and/or distress that would result from
an accidental disclosure in this work, the Commissioner would expect

extensive guidance and training to have already been in place, which
covered the relevant processes that were central to the role of producing
CFAs.



Previous incidents

Nottinghamshire County Council confirmed that, in the two years previous
to the incident, there had been another 16 separate incidents where failure

to adequately redact resulted in sensitive personal data being disclosed,
with a number of these incidents resulting in safeguarding concerns.


Severity of breach


The breach in this instance was serious. It put the mother and the two
children at risk of actual physical harm. The material that was disclosed to
the third-party was in relation to previous domestic violence that the third-
party had enacted on the mother and the two children. This disclosure

created a volatile and dangerous situation between the parties.


Mitigating Factors / Remedial steps taken by Nottinghamshire

County Council

The Commissioner has considered and welcomes the remedial steps taken
by Nottinghamshire County Council in the light of this incident. In particular
Nottinghamshire County Council has, in April 2022, put in place detailed

and comprehensive guidance in relation to the redaction of documents
(Disclosure and Redaction Guidance), and a copy of this procedure has been
provided to the Commissioner.






                                      3The Reprimand


Taking into account all the circumstances of this case (including the
remedial steps), the Commissioner has decided to issue a reprimand to
Nottinghamshire County Council in relation to the infringements of Article
32(1) of the UK GDPR set out above.



11 August 2023


Mark Palmer – Investigation Officer












































                                    4
Retrieved from "https://gdprhub.eu/index.php?title=ICO_(UK)_-_Nottinghamshire_County_Council&oldid=35804"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki