The ICO has fined Hampshire County Council £100,000 (local government body) after paper based documents containing over 100 peoples personal and sensitive personal data was found in a disused building. The building was decommissioned in August 2014 after the Adults and Children Service vacated in 2012.

Between July 2012 and August 2014 a number of individuals had access to the building, this included the agent who was responsible for showing and selling the building to prospective buyers. The local authority were contacted in September 2014 to inform them a number of files containing a set of social care and complaints data were found in a unlocked cupboard/room. In addition to this there was 45 bags of confidential waste in a locked room.

The data personal and sensitive data related in excess of 100 individuals, (Data Subjects). There was no building and data decommission procedure in place. This data was highly sensitive as it contained information about adults and children in vulnerable circumstances. The ICO's investigation found that the council lacked technical and organisational measures to guard against accidental loss or destruction of personal data.

As the Director of Information Governance working in Wright Hassall LLP,  I am surprised an office relocation system was not in place, however,  understandably if there is no governance and risk impact assessment to follow, staff members on the ground would not know how to control and comply with the  requirements in regards to the movement of data, offices and people.

We work on sharing good practice to help organisations prevent these types of breaches, we created and took part in a ICO training video “back from the breach” to help organisations. We created a breach management and relocation system that allows an organisation to assess the impact and detect likely issues and put systems in place to mitigate and prevent these types of incidents. Training staff is no longer a tick box exercise and our interactive people led training programme helps organisations prepare and embed good data management and protection. 

We have created a UK wide Data Action Network, bringing together social housing, care and local authorities to collaborate, share and work with our support service to become and maintain data management and protection compliance.  Reach out we are here to keep you informed and get you involved, InfGov@wrighthassall.co.uk.

About the author

Paula Tighe Partner

Paula is a qualified data protection professional and leads the trusted advisor information governance service.