ICO fines Aberdeen City Council after home-worker published sensitive child data

Information about vulnerable children accidentally published and remained online for months

The Information Commissioner's Office (ICO) has fined Aberdeen City Council £100,000 after a data breach resulted in an employee publishing data about vulnerable children online while working from home.

Data about children in the care of social services was released when a council employee accessed documents including reports and meeting minutes from her home computer. The documents were automatically uploaded online by a file transfer programme installed on the PC, publishing sensitive information about children and their families, including material about alleged criminal offenses.

The files were uploaded in November 2011 but remained online until February 2012. They were only discovered after another member of staff found them after searching for their own name and job title. An ICO investigation found that Aberdeen Council didn't have any working from home policy in place for its staff and didn't have security measures to stop sensitive information being released.

"As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure," said Ken Macdonald, Assistant Commissioner for Scotland at the ICO.

"In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information," he continued.

On a wider level, the council also had no checks in place to see whether its existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information about a vulnerable child freely available online for three months.

"We would urge all social work departments to sit up and take notice of this case by taking the time to check their home working set-up is up to scratch," Macdonald added.

Richard Anstey, CTO EMEA for Intralinks, echoed Macdonald, arguing that firms need to do more to ensure remote employees are properly managing information as lessons aren't being learned.

"In effect, employees have free rein when sharing documents, whether on a corporate-owned laptop, home computer or personal device. Companies need to strike a fine balance between usability and diligent control to minimise the risk of sensitive information leaking," he said.

"Too many councils are getting fined and we are seeing this way too often - clearly lessons aren't being learned. Organisations should consider secure enterprise collaboration services which can maintain a higher level of document security and allow full and auditable proof of receipt," Anstey added.

Aberdeen City Council is now in the process of agreeing an undertaking with the ICO that commits it to improving its compliance with the Data Protection Act.