Newcastle City Council has been forced to apologise after one of its workers included an attachment with highly sensitive data when sending an email to invite adoptive parents to an annual summer event. The leaked data contained 2,743 individuals’ names, addresses, birth dates, and the details of current and former adoptees and social workers. The breach took place on 15 June 2017 when the email was sent to 77 people.
Ewen Weir, the Council's Director of People, said "I am truly sorry for the distress caused to all those affected. We will work closely with the affected families and individuals to support them at this trying time. The council takes data protection and confidentiality very seriously and has acted swiftly to understand what happened and who has been affected. This breach appears to have been caused by human error and a failure to follow established procedures. We are conducting a thorough review of our processes to identify what changes we can make to ensure this never happens again."
The ICO will investigate the breach and can obviously issue a fine of up to £500,000. What penalty might have been imposed if GDPR had already come into force can only be the subject of conjecture.
This might serve as a reminder to all to be more careful and ensure all staff receive appropriate training, support and guidance!