ICO hits Powys with record data breach fine

Powys County Council fined £130,000 after mix-up with child protection reports

Powys County Council has been fined £130,000 by the Information Commissioner's Office (ICO) – a record for a data protection breach.

The data protection breach occurred when two separate reports about child protection cases were sent to the same shared printer, according to the ICO.

It is believed that two pages from one report were mistakenly collected with the papers from another case and were sent out without being checked.

The recipient of the two pages of the report knew the parent and child whose personal details were included in the papers, and complained to the council.

“The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented,” said Anne Jones, assistant commissioner for Wales.

The incident was the second time the ICO had received a complaint about Powys County Council, following a similar case in June 2010.

The ICO has issued a legal notice ordering Powys to improve its data handling.

Had the shared printer at the centre of this incident used endpoint controls, it would have ensured that the reports were only printed when the appropriate member of staff arrived to collect the report and had input an access code.

The ICO has in the past few weeks slapped fines on Worcestershire County Council and North Somerset Council, following data breaches.