Nottinghamshire County Council has received a substantial fine following its failure to protect personal data relating to vulnerable individuals. The council had posted online, in a database without security or access restrictions, the gender, addresses (including postcode) and care needs of disabled and elderly people. The breach was only revealed when a member of the public reported conducting a search using a search engine and being able to access the data. The information was discovered to have been online and accessible for a period of five years, and 3,000 individuals may have had their data posted on the system.
The ICO considered this a prolonged and serious breach. It was also noted that the council had the staff and financial resources available to put in place appropriate safeguards, yet failed to do so. The sensitive nature of the data, as well as the fact it related to vulnerable individuals, were aggravating factors.
The ICO noted:
Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.
The decision underlines the need for a period audit, to test your security, and know you are still compliant.
Download: Data Protection Update: UK, Canada and Russia
Originally published 15 September 2017
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
