The Information Commissioner's Office (ICO) has slammed what it calls "an underlying problem with data protection in local government". It comes after four councils were fined a combined £300,000 for losing personal data.
Leeds City Council was fined £95,000 after sensitive information about a child care case was sent to the wrong person, while Devon County Council was fined £90,000 for a series of similar incidents.
The London Borough of Lewisham received a £70,000 fine after a social worker left sensitive documents containing information about sexual abuse and neglect on a train. Meanwhile, Plymouth City Council was fined £60,000 after files containing sensitive data about child neglect were sent to the wrong recipient.
A total of 19 councils have now been fined a combined sum of almost £2m for data breaches.
"It would be far too easy to consider these breaches as simple human error. The reality is that they are caused by councils treating sensitive personal data in the same routine way they would deal with more general correspondence," said Information Commissioner Christopher Graham.
"Far too often in these cases, the councils do not appear to have acknowledged that the data they are handling is about real people, and often the more vulnerable members of society."
Graham said the loss of sensitive information by local government won't be tolerated.
"The distress that these incidents would have caused to the people involved is obvious," he said.
"The penalties we have issued will be of little solace to them, but we do hope it will stop other people having to endure similar distress by sending out a clear message that this type of approach to personal data will not be tolerated.
"There is clearly an underlying problem with data protection in local government and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems," Graham concluded.
The ICO added that it's pushing the Ministry of Justice for stronger powers to audit data protection compliance by local councils and the NHS.
Last month, Phil Allen, director of identity and access management EMEA at Quest Software, told Computing that the ICO must focus on educating organisations about data loss, rather than relying on fines.