ICO fines Surrey County Council £120,000

The Information Commissioner's Office (ICO) has fined Surrey County Council £120,000 for three serious breaches of the Data Protection Act over the last year.

Information commissioner Christopher Graham (pictured) said that the fine was reflective of the serious nature of the initial breach, and the fact that it was followed by two more breaches.

"This significant penalty fully reflects the seriousness of the case," he said.

"The fact that the first breach saw sensitive personal information relating to the health and welfare of 241 vulnerable individuals was sent to the wrong people is shocking enough. But when you take into account the two similar breaches that followed, it is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late."

The most serious breach occurred in May last year, when a council worker accidentally emailed the personal health records of 241 individuals to the wrong group address.

This was followed by two similar breaches in July last year and in January this year.

Graham said: "Any organisation handling sensitive information must have appropriate levels of security in place. Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated."

The ICO has been criticised in the past for a perceived reluctance to use its powers to fine, but a spokesman claimed that today's announcement does not reflect a move towards financial penalties.

"Punitive measures are decided on a case-by-case basis," he said. "We have to look at the sensitivity of the information, whether the organisation in question did enough to prevent the breach, and the ability of the organisation to pay. Every organisation and every data breach is different."

Once paid, the fine will be passed on to HM Treasury's Consolidated Fund.