The latest penalties served by the Information Commissioner’s Office (ICO) bring the total amount served by the ICO to organisations found in serious breach of the Data Protection Act to over £1m.

Monetary penalties totalling £180,000 were recently served to two councils for failing to keep highly sensitive information about the welfare of children secure.

Croydon Council has been handed a penalty of £100,000 after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub. Norfolk County Council has been served with an £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient.

Stephen Eckersley, Head of Enforcement, said:

“We appreciate that people working in roles where they handle sensitive information will “ like all of us “ sometimes have their bags stolen. However, this highly personal information needn’t have been compromised at all if Croydon Council had appropriate security measures in place.

“One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient. Norfolk County Council failed to have a system for this and also did not monitor whether staff had completed data protection training.

“While both councils acted swiftly to inform the people involved and have since taken remedial action, this does not excuse the fact that vulnerable children and their families should never have been put in this situation.”

Both councils have taken remedial action as a result of the breaches and will now ensure that effective data protection measures are put in place.

The ICO has issued guidance on security measures for personal information.