Yesterday, the ICO issued a reprimand to Birmingham Children’s Trust Community Interest Company after the personal information of a child was inappropriately disclosed to another family.
The child protection and review department at Birmingham Children’s Trust Community Interest Company, which is owned by Birmingham City Council, was working with two neighbouring families when the data breach occurred. A child protection plan was disclosed to one family that contained both personal information and criminal allegations relating to a child from the neighbouring family. This information was included in error after being copied across from meeting minutes.
The ICO investigation found that Birmingham Children’s Trust Community Interest Company did not have appropriate policies or sufficient practical guidance in place to ensure the security of personal information. This is a breach of Article 5(1)(f) and 32(1)(b) and 2 of the UK GDPR.
The ICO has recommended that Birmingham Children’s Trust Community Interest Company should take further steps to ensure its compliance with data protection law, including:
- Implement a more granular approach to data protection and create a Standard Operating Procedure with regards to producing social care documents.
- Include a process for any social care product to be independently checked by someone other than the author prior to disclosure.
- Create and implement a corporate redaction policy, which ensures staff have the knowledge and tools, to redact the product if necessary.
Our GDPR Essentials e learning course is ideal for organisations who wish to upskill their employees about data protection and data security.
