Council pays the price for data breach

Data illustrationCheshire East Council has had to fork out £80,000 as a fine for sending someone's personal data out by unsecured email. You do wonder, though - is this actually going to come out of anywhere other than the council tax of the local residents? (NB: the illustration here is intended as a generic "data" illustration, there is no suggestion that the man in it had anything to do with this incident).
A report on ZDNet confirmed that the incident happened when a council officer had to send a message to a local voluntary sector co-ordinator about police concerns about a particular individual.

She sent it but failed to use the council's secure email system, instead using her personal email.


The employee defended her decision by saying the council's system couldn't mail the voluntary sector worker because he didn't have the right sort of account. This is probably correct but as he received an unsecured email he assumed it was OK to send the information out further, and it got to another 57 people.

This is of course pretty flaming dismal, particularly if you're the person named in the email. Granted, the council probably had reasons for concerns but the individual also has rights to protection.

The answer is of course to train staff properly and anticipate a few eventualities while you're doing it. This council officer should never have been in a position in which she thought it appropriate to make a snap decision on what to do with this sort of (apparently) very sensitive information.

This lack of basic training and knowledge has almost certainly cost the council tax payer £80K. Even if it's paid out of council reserves it will need to be paid back eventually and there's pretty much one way of doing this - charging the ordinary citizen. This should be avoidable relatively easily.
Read Full Story