“Human error” blamed for personal data breaches at Sheffield Council

The council is required to note, assess and deal with any information security or personal data breaches and logged 231 incidents during 2019/20.

Of these, 92 were personal data breaches. The majority involved customers and were caused by human error with emails or post being delivered to the wrong person.

Of these breaches, five were considered serious enough to be reported to the Information Commissioner’s Office (ICO).

They included 279 parking fine letters which were printed double-sided instead of single-sided.

This resulted in around 140 people receiving the names, addresses, and registration numbers of other people and one individual contacted the ICO.

Council director Mark Gannon said: “Incidents can be events that have happened or near misses that affect or are likely to affect the confidentiality, integrity and availability of information.

“Data protection law requires organisations to notify the ICO of the personal data breaches that have a high and ongoing risk.

“Incidents and data breaches have been reported by all Portfolios. The services that handle sensitive personal data are at greater risk because an incident or breach is more likely to have a greater impact on the customer and therefore meet the threshold to notify the ICO.

“There is a continuing and critical need to manage the information we have, safely and securely, to continue to implement sound data protection practice, and to ensure all staff are aware of their responsibilities and have received and completed all the necessary training.”

Tribunal documents were sent to four individuals involved in a housing benefit appeal. The documents included information about each of the individuals, so all four people had access to each other’s health and financial information.

The council reported the breach to the ICO itself and contacted the affected parties to ask for the documents to be returned.

A social worker’s car was broken into and information about individuals was stolen. The council reported the breach to the ICO and notified the affected parties. The council reviewed its practice and issued internal guidance about remote working with paper documents.

Education, Health and Care Plans were posted to a family, but the posted documents never arrived. The council reviewed its practice and issued internal guidance about sending sensitive documents via tracked post.

And a social worker’s house was broken into and the officer’s paper notebook and phone were stolen. The council reported the breach to the ICO.

The ICO took no further action in any of the five cases, although it does have the power to take enforcement action against an organisation.

In 2018/19 there were 248 incidents logged – 116 were classed as personal data breaches.

READ MORE:

- Cyclists and walkers set to rule the road in £10m Sheffield travel revolution

- South Yorkshire MP calls for student nurses to be paid for work during pandemic

- Sheffield Citizens’ Assembly on climate change is paused due to Covid

Thank you to all who support local journalism with a digital or print subscription to The Star. The events of 2020 mean trusted, local journalism is more reliant than ever on your support. We couldn't do it without you. Subscribe here www.thestar.co.uk/subscriptions so we can keep campaigning on your behalf. Stay safe.