show image

Notts County Council fined £70,000 for exposing vulnerable people’s personal data

Nottinghamshire County Council has been handed a £70,000 fine for leaving vulnerable people’s personal information exposed online for five years.

The data included the gender, addresses, postcodes and care requirements of 3,000 elderly and disabled people, according to the ICO.

It was hosted in an online directory that lacked basic security or access restriction such as a username or password, the ICO found.

The council only became aware of the breach after a member of the public stumbled across the unprotected directory while carrying out an online search.

The ICO’s head of enforcement, Steve Eckerley, described the incident as a serious and prolonged breach of the law:

For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.

Given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.

The online directory formed part of a portal designed to allow social care providers to confirm they were able to provide support a particular service user.

Caroline Baria, adult social care service director at Nottinghamshire County Council, said:

Nottinghamshire County Council takes its responsibility for data security extremely seriously so we are very sorry that this error occurred and wholeheartedly accept the Information Commissioner’s findings.

As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the Commissioner.

At the time the directory included partial addresses and a brief outline of the care needs of 81 people who have required home care services, but the information did not contain any names or house numbers.

A full review of procedures has been carried out and we are now using a different system for home care providers outside of the internet.