Council braced for fine over data blunder

Thirty two data protection breaches have been discovered at Barnsley Council in the space of three months with the authority now waiting to be told whether it will face a fine over one 'significant' incident.

Wednesday, 18th April 2018, 7:29 pm
Updated Wednesday, 18th April 2018, 7:41 pm
Fine: Barnsley Council could face a bill over data blunder

Councillors were told of the record of problems, which cover a range of different failings, which all fell into a category where staff were obliged to send details to the Information Commissioner, which oversees data protection legislation, within three days.

They heard from an official the period involved spanned January to March and the number of cases which had to be referred caused: “Considerable work for the council”.

Although three cases were found to be unsubstantiated and another three involved either the Royal Mail or another local authority, 16 were found to be actual breaches of the Data Protection Act, with another ten exposing weaknesses which “could have cause risk to the council”.

Sign up to our daily newsletter

The i newsletter cut through the noise

Examples include sending emails to the wrong person, or leaving documents on a printer.

That is regarded as information disclosed in error and there were 14 internal and external emails sent to the wrong recipients, councillors heard.

They were told one was particularly serious, with the official telling the meeting: “Unfortunately, one of these incidents was fairly significant and we did escalate it to the Information Commissioner’s Office on Feburary 23.

“A detailed investigation was submitted on March 7.”

Councillors will be updated later on the outcome and whether the council is fined as a result.

They were told “a number of lessons have been learned” as a result, however, including that staff ensure address details are correct before sending out sensitive documents.

The disclosure comes ahead of changes to data protection legislation, which leaves all private and public sector organisations at risk of huge fines if the breach stringent new rules which come into effect next month.

A recent audit by the Information Commissioner’s Office made 110 recommendations for action over how Barnsley Council handles data, including eight with ‘urgent priority’ status.

Between December and March, 48 were expected to have been resolved, but only 15 have – including two of the urgent items – though work is continuing on others.

A report to councillors stated: “Therefore, 33 have not met the implementation date, however there are a number of recommendations (11) that have the status ‘ongoing’.

“This means that work is in progress but the recommendation cannot be fully categorised as ‘complete’.”

Part of that has been put down to internal changes within the council, with changes in responsibilities between different areas.

Some council departments have dismissed the timescales to introduce the changes as “unrealistic” and they are being renegotiated with the council’s information governance team. However, all the work must be completed by September to meet the demands of the ICO.

It has also emerged the council is facing increased attention from cyber criminals, with 586 incidents reported in the most recent three months available.

Although that is a fall from the previous quarter, it is believed many council staff are not reporting incidents as requested, when they happen.

A recent example was ‘phishing’ emails, which could result in considerable disruption if files sent electronically were opened.

It was known 200 staff had been sent identical emails, but only four had reported them – though fortunately none had made the error of opening the files and councillors were told “This year has seen a significant increase in the number of real ‘phishing’ emails.

“The number of reported incidents has dropped but we believe users are not reporting them,” councillors heard.

Although no-one had made the error of opening a file which could corrupt council systems, the failure to report incidents meant a slower response from security staff to deal with the threat.