The ICO issued the following press release:
Portsmouth City Council has agreed to take action after the inappropriate disclosure of personal information relating to an individual’s physical and mental health, the Information Commissioner’s Office (ICO) said today.
The sensitive information was mistakenly provided in response to an individual’s request to see the information the council held about them – known as a subject access request. The council failed to redact documents correctly and so accidentally disclosed information about another individual.
The ICO was informed of the breach by the council. The ICO’s investigation revealed that the individual responsible for redacting the documents was neither employed by the council, nor acting under the terms of a formal contract for services. The supervision and training provided to staff involved in the subject access request process was also found to be inadequate.
Mick Gorrill, Head of Enforcement at the ICO, said: “This breach of the Data Protection Act was entirely avoidable, and would not have happened if the individuals dealing with the request had been given proper training and the necessary levels of support. The fact that the information released included sensitive information relating to an individual, who wasn’t directly involved in the original request, could have caused a great deal of embarrassment and distress.
We are pleased that Portsmouth City Council recognise the seriousness of the case, and have taken the necessary steps to ensure this won’t happen again. We would urge local authorities across the country to remain vigilant when handling such requests in order to ensure they continue to comply with the Act.”
David Williams, Chief Executive of Portsmouth City Council, has now signed a formal undertaking to ensure that all relevant staff are fully trained in how to handle subject access requests and that checks are put in place to ensure that third-party data is dealt with in accordance with the Act’s requirements. The council has also agreed that in future any individuals tasked with redacting material from subject access requests will either be employed by the council directly, or otherwise enter into a formal contract to provide this service.
A full copy of the Undertaking can be viewed here: http://www.ico.gov.uk/Home/what_we_cover/promoting_data_privacy/taking_action.aspx#portsmouth
I’m not sure I understand this: what is a council doing with physical and mental health data, anyway?