The perils of email – £120,000 fine imposed for sending emails to the wrong recipients
Updated July 2011
We are all aware of how easy it can be to send an email to the wrong recipient. Unfortunately for Surrey County Council, such a simple error resulted in a fine of £120,000 imposed by the Information Commissioner’s Office (ICO). The fine is the largest imposed on a single organisation since the ICO was granted its enhanced powers to issue fines in April 2010. The Council was fined for three serious breaches of the Data Protection Act over the last year.
What happened?
The first breach occurred on 17 May 2010 when a Council employee inadvertently emailed personal information relating to 241 adult social care service users to the incorrect group email address. An attempt was made to recall the email but the Council could not confirm that the recipients had destroyed messages.
On a further two occasions, the Council sent sensitive personal data to the incorrect recipients.
The monetary penalty notice issued by the ICO stated that there had been a serious contravention of section 4(4) of the Data Protection Act. The Council had failed to take appropriate measures against unauthorised processing such as providing employees with appropriate IT training and support, establishing name conventions for group email distribution lists and ensuring the encryption of emails containing sensitive personal data.
The ICO also stated that the contravention was of a kind likely to cause substantial distress to individuals who would know that confidential sensitive personal data has been disclosed to a large number of people that had no right to know that information. The Information Commissioner further said that the fine took into account the serious nature of the initial breach and the occurrence of a further two similar breaches.
Comment
The facts of this case are similar to other cases where fines have been imposed by the ICO. Organisations who deal with sensitive data relating to vulnerable people need to take extra care to ensure that personal data is kept securely, that appropriate procedures are in place to protect data and that staff are properly trained in how to handle sensitive personal data – in particular when sending sensitive personal data to third parties (whether by email or other means). If breaches occur and sensitive personal data is disclosed to unauthorised recipients there is a high risk that the ICO will impose a fine.
We recommend that all organisations that handle sensitive personal data review their data handling procedures and staff training. You must ensure that appropriate technical measures have been taken to transmit sensitive personal data securely and that employees understand their duties in relation to data protection and the procedures to be followed when sending out sensitive information.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
© TLT LLP 2011. TLT LLP is a limited liability partnership registered in England and Wales number OC 308658.