Council Fined for Data Protection Act Breach(UK)

A council that left personal information about a group of particularly vulnerable people exposed online for five years in a ‘serious and prolonged breach’ of the Data Protection Act has been fined £70,000 by the Information Commissioner’s Office.

In a case that provides a salutary warning for all organisations that it is ‘unacceptable and inexcusable’ not to treat the security of personal data seriously, Nottinghamshire County Council was found to have posted the gender, addresses, postcodes and care requirements of 3,000 elderly and disabled people in an online directory that lacked even basic security such as a username or password.

‘Nottinghamshire County Council: Monetary Penalty Notice’ reveals that the breach was discovered by a member of the public who was able to access and view the data using a search engine without logging in. He became concerned that it could be used by criminals to target vulnerable people – particularly as it included details about whether they were currently in hospital.