Nearly 200 data security incidents at South Gloucestershire Council last year

All three breaches by children’s services staff involved sensitive personal details and were reported to the Information Commissioner’s Office (ICO), according to an annual report.

The “human error” breaches were among nearly 200 data security incidents at the council last year, which also saw staff lose an adoption letter in violation of data protection law.

In one breach, a letter containing a foster child’s address was “accidentally” disclosed to the birth mother, a council spokesperson said.

In another, a council officer disclosed to a father the identity of a neighbour who had reported concerns about his ability to look after his children.

In the third breach, sensitive personal data about a person was included in a report and sent to the mother of a child who was thought to be at risk from that person.

No disciplinary action was taken after the foster child’s address was disclosed because a council investigation found it was a “genuine one-off mistake due to a misunderstanding”, the spokesperson said.

But the council revoked the employment contract of the officer who revealed to a father the identity of his complainant, and the two officers responsible for the third breach left after procedures to manage their performance were started.

The three breaches were among 198 data security incidents at the council last year, according to its latest annual report on information, data and security. 

Around 80 per cent of the incidents were in the council’s Department for Children, Adults and Health, which, among many other things, is responsible for children’s and adults social care. 

Deputy council leader Jon Hunt, who is also the cabinet member for children and young people, said the “vast majority” of the incidents were down to “human error” by “very busy” staff.

“It’s very simple errors that happen, and a lot of it is just typing the wrong email address in,” he told a cabinet meeting on June 8.

“But they’re not usually significant data breaches and they’re very easily rectified.

“Also it’s, in terms of sending out information, having the address wrong or misspelling something on it.”

One hundred and fifty of the incidents involved personal data and were reported by the council rather than a third-party provider.

Of these, 66 were “minor” incidents where personal data was limited and/or contained and  81 were personal data breaches that were not serious enough to report to the ICO.

The three serious breaches reported to the ICO were “likely to result in a risk to the rights and freedoms of those whose data has been breached”, the report said.

“In all [three] cases the ICO found that human error accounted for the disclosures and were satisfied with our recovery actions, processes and training.”

The report also revealed that a complaint was laid with the ICO after the council was unable to find an adoption document called a “Later in Life” letter.

Such letters give an adopted child an explanation of the circumstances that led to their adoption.

“The ICO found that we had not acted in line with our data protection obligations and therefore infringed the legislation,” the report said. 

“However, they noted that we have put measures in place to ensure instances of this nature do not occur again.”

All local authorities must comply with data security obligations required by the Data Protection Act 2018 and General Data Protection Regulations (GDPR).

The ICO did not take any further action in the case but warned it “may help form part of our intelligence about the council” should “we continue to receive complaints of a similar nature”, according to the report.

Cabinet member for corporate resources Ben Burton said the council was working with staff to reduce the number of data incidents to the “lowest level possible”.

“It’s imperative that people have confidence that when they’re communicating with us that we’re doing absolutely everything possible to look after their data,” he told the cabinet meeting.

“I think that’s the minimum people expect, and I’m sure that’s what every staff member is trying to do.

“What we’re doing is to ensure that staff recognise what they’re handling, why they’re handling it and how they can operate with that and ensure that that personal information is secured.”

Cllr Hunt said social workers have also been reminded about the importance of recording the correct postal address so that documents are not sent to the wrong household.

They are now physically delivering assessments rather than posting or emailing them “to avoid them going to the wrong people”, he said.

Cabinet member for adults and public health, Ben Stokes, said problems often resulted from staff inadvertently choosing the wrong email address from options that automatically pop up.

He said the IT department had addressed the issue and staff had been “appropriately trained”.

The number of data security incidents at the council has risen by 57 per cent in the last three years, from 126 in 2017/18 to 198 last year, according to the report.

The council has blamed the year-on-year rise on growing work pressures and greater staff awareness of the importance of data security.

“Analysis reflects that the data protection training has increased awareness and improved staff and member confidence in reporting actual or suspected incidents,” a spokesperson said. 

“The majority of the incidents can be attributed to relatively simple mistakes impacting only a small number of data subjects, which may reflect the increased pressure staff are under as demand for services increase in certain areas. 

“All information security incidents are fully investigated and reported, even if they do not result in a personal data breach.”

The spokesperson said the local authority told people their personal data had been wrongly disclosed on a “case by case basis” owing to the need to prioritise “the rights and welfare of the data subject”. 

The report said: “The security incidents have highlighted the need to regularly review and maintain robust policies, procedures and ongoing awareness training.”b