Cheshire West and Chester Council has agreed to put its house in order after a number of data breaches including sexual abuse allegations being sent to an incorrect address.

Chief executive Gerald Meehan has committed to appropriate staff training around obligations under the Data Protection Act.

The alternative was for the Information Commissioner’s Office (ICO) to exercise its enforcement powers.

Among the mistakes which had the ‘potential to cause serious distress for those affected’ were:

■ Incorrect mobile phone number given to an ex-partner of a data subject

■ Allegations of historic sexual abuse sent to incorrect address due to the address and postcode being obtained from Google Maps search

■ Data handling procedure introduced following previous breaches not adhered to in some high risk areas because staff unaware

The ICO issued a statement on its website which highlighted a number of concerns relating to staff training which were identified following an ICO audit and subsequent follow-up in addition to a series of self-reported incidents.

The statement explained: “The majority of these incidents concerned disclosure in error cases and almost all involved staff who had not received data protection training. Some of these individuals were also temporary agency workers.

"Despite agreed audit recommendations specifically related to training, which included the requirement to train all staff employed and monitor take up of such training, subsequent investigations have identified that these recommendations have not been implemented fully.”

The ICO said CWaC has policies in place which highlight the data protection obligations of its employees but the level of overall organisational compliance with mandatory data protection training has ‘fluctuated significantly over the last two years’.

Chief executive Mr Meehan has agreed to carry out a risk-based training needs analysis across the organisation to work out the level of data protection awareness required for each role.

Mandatory data protection training will be delivered for all employees whose role involves handling personal data including new staff upon induction. Regular mandatory refresher training will be carried out. The training regime will be monitored and enforced.