Council fined £70,000 after failing to secure home care data portal
The council has said it is now using a different system for home care providers
[Nottinghamshire, UK] The Information Commissioner’s Office (ICO) has issued a fine of £70,000 after discovering data of elderly and disabled people on an unsecure online portal of a local authority.
Nottinghamshire County Council held data including gender, addresses or care requirements of vulnerable people in a directory for five years without appropriate restrictions, breaching the Data Protection Act.
The ICO discovered the issue after a member of the public accessed the data by using a search engine without any log in details. No names were included in the portal, but the ICO says people could have been identified from the information posted online.
Steve Eckersley, ICO Head of Enforcement, said this was an ‘unacceptable and inexcusable’ failure to uphold the requirements of the Data Protection Act:
“This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”
Directory removed by the council
According to the ICO, the Home Care Allocation System was set up in 2011 so that providers could confirm if they had the capacity to offer care services to vulnerable people in the area.
Over five years, until the breach was reported in June 2016, is it believed data of 3,000 people had been posted online.
Caroline Baria, Adult Social Care Service Director at the council, said:
"Nottinghamshire County Council takes its responsibility for data security extremely seriously so we are very sorry that this error occurred and wholeheartedly accept the Information Commissioner's findings.
"As soon as this matter came to our attention we removed the home care directory from the internet and reported the incident to the Commissioner.
"At the time the directory included partial addresses and a brief outline of the care needs of 81 people who have required home care services, but the information did not contain any names or house numbers.
"A full review of procedures has been carried out and we are now using a different system for home care providers outside of the internet."