How safe is your data?

These show that the watchdog opened some 55 enforcement cases in 2012/13 relating to solicitors and barristers, which – to me, anyway – seems a pretty sizeable number.

Along with central government, lawyers were the joint sixth highest generator of cases. The highest were health (340), local government (228), education (114), general business (103) and lenders (57).

The updating of the performance statistics come as – after something of a lull – the ICO has fined four public sector organisations in the last couple of weeks a combined £375,000 for a variety of transgressions:

1. Stolen and missing laptops: Glasgow City Council (£150,000)  
2. Sensitive data left at a former site: the now-dissolved Stockport Primary Care Trust (£100,000)  
3. Sending details on adoptive parents to the birth mother: Halton Borough Council (£70,000) 
4. Faxing data to the wrong recipient on three occasions: North Staffordshire Combined Healthcare NHS Trust (£55,000)
   

It would be interesting to know how confident local authority legal departments really feel about the security of the data they hold.

The very first monetary penalty notice issued by the ICO after the watchdog gained radically enhanced fining powers was, of course, served in November 2010 on a county council after two incidents where its childcare litigation unit accidentally faxed data to the wrong recipients.

In October 2012, a city council was fined £120,000 after a solicitor in its legal department by mistake sent a series of emails with unencrypted sensitive data relating to a child protection legal case to the wrong address.

In that case the ICO concluded that the solicitor was in breach of the authority’s email and information protection policies, which confirmed that the emails should be sent via a secure network or encrypted. The email should also have been protectively marked.

Importantly, though, the council was aware that the legal department did not have access to encryption software and frequently had to send emails outside the secure network in order to carry out their work.

The council further admitted that the policy on information protection in particular was not widely known to staff and no relevant training had been provided. As a result, the solicitor in question was not disciplined.

A third case involving lawyers (but not one on which the ICO has to my knowledge made any pronouncement) meanwhile arose in 2012 when a borough council’s legal team sought injunctions in respect of youths committing anti-social behaviour on a housing estate.

The evidence submitted to the court included, amongst other things, a log of calls made by various residents who were complaining about the behaviour. This should have been redacted to remove information identifying the complainants, but it was not. As a result the defendants were given the details of some of those who had complained about them. The mistake saw the borough have to pay for extra policing over a number of weeks as well as to process requests for housing transfers.

A subsequent external investigation conducted by a head of legal at another authority – commissioned by the council – found there was a good understanding about data security requirements in the legal service and that systems were well embedded and policies and procedures were followed. There were also a number of areas of good practice identified.

However, the investigation did find some areas for improvement, such as the need to: bring some of the rules and procedures around data security together in one document; take a more regular look at risk assessments; and establish a standing information group.

These are three of the cases that immediately sprang to my mind when it comes to information security and legal services teams. There may well be other departments around the country who are thinking ‘There but for the grace of God….”. How safe is your data?