Fine over social care charity data loss
- 10 October 2012
- From the section London
A social care charity has been fined £70,000 after confidential reports about four children went missing when left outside a house in London.
A social worker trying to deliver the files to the children's prospective adoptive parents left them at the side of the property in December.
An Information Commissioner's Office inquiry found Norwood Ravenswood Ltd had not fully trained its employee.
A charity spokesman said it had taken steps to tighten procedures.
Head of enforcement at the Information Commissioner's Office (ICO), Stephen Eckersley, said: "We do not want to be issuing monetary penalties to charities, but in this case the seriousness of the breach left us with little choice."
Data protection training
The ICO said when the social worker went to the house neither occupant was there, but when they returned the reports had gone. The information has never been found.
The documents contained sensitive information including details of any neglect and abuse suffered by the children, along with information about their birth families.
An investigation by the ICO found the social worker had not received data protection training, in breach of the charity's own policy, and received no guidance on how to send personal data securely to prospective adopters.
Mr Eckersley said: "We have warned the charity sector that they must have thorough policies and procedures in place to keep the often sensitive information they handle secure.
"The children involved in this case were no more than six-years-old and now they are in a situation where their most sensitive details could be in the hands of a complete stranger."
Describing the breach as "entirely avoidable" he said: "The fact that the social worker had received no training while working at the charity, on how to look after what is extremely sensitive information, is truly staggering."
A statement from the charity said: "Norwood found itself, within its adoption service, to be in an isolated breach of the Data Protection Act and reported itself to the ICO when it was discovered.
"Norwood took immediate steps to tighten its procedures in line with the Act to ensure that an incident of this kind will not be repeated."