ICO rebukes Scottish child protection agency over data security lapses

Sensitive information was sent to the wrong email address and left in a second-hand furniture shop

The Scottish Children's Reporter Administration (SCRA), an organisation set up to protect children in the justice system, has been reprimmanded for breaching the Data Protection Act in two separate incidents.

The Information Commissioner's Office (ICO) said that the breaches occurred because the SCRA failed to make sure its data protection and IT security guidance policies were being correctly followed by staff.

In January 2011 legal papers containing sensitive information about a child's court hearing were sent to the wrong email address. The documents included the identities of the child's mother and witnesses.

Prior to that, in September 2010, nine case files were left in a filing cabinet that was sold to a second-hand furniture shop. The files in the cabinet contained details of names, dates of birth, social reports and referral decisions relating to children.

"The fact that sensitive information was mishandled not once but twice by the same organisation is concerning," said Ken Macdonald, assistant commissioner for Scotland.

"On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided."

Neil Hunter, chief executive of SCRA, has signed an undertaking to ensure that staff are made aware of the organisation's policies around storage and use of personal data. Checks have also been put in place in a bid to make sure that the policy is followed.

With the ICO again deciding not to fine after highly sensitive information was exposed by an organisation, commentators are likely to renew calls for a tougher approach from the data protection watchdog.