Cheshire West and Chester Council has agreed to put its house in order after a number of data breaches including sexual abuse allegations being sent to an incorrect address.
Chief executive Gerald Meehan has committed to appropriate staff training around obligations under the Data Protection Act.
The alternative was for the Information Commissioner’s Office (ICO) to exercise its enforcement powers.
Among the mistakes which had the ‘potential to cause serious distress for those affected’ were:
■ Incorrect mobile phone number given to an ex-partner of a data subject
■ Allegations of historic sexual abuse sent to incorrect address due to the address and postcode being obtained from Google Maps search
■ Data handling procedure introduced following previous breaches not adhered to in some high risk areas because staff unaware
The ICO issued a statement on its website which highlighted a number of concerns relating to staff training which were identified following an ICO audit and subsequent follow-up in addition to a series of self-reported incidents.
The statement explained: “The majority of these incidents concerned disclosure in error cases and almost all involved staff who had not received data protection training. Some of these individuals were also temporary agency workers.
"Despite agreed audit recommendations specifically related to training, which included the requirement to train all staff employed and monitor take up of such training, subsequent investigations have identified that these recommendations have not been implemented fully.”
The ICO said CWaC has policies in place which highlight the data protection obligations of its employees but the level of overall organisational compliance with mandatory data protection training has ‘fluctuated significantly over the last two years’.
Chief executive Mr Meehan has agreed to carry out a risk-based training needs analysis across the organisation to work out the level of data protection awareness required for each role.
Mandatory data protection training will be delivered for all employees whose role involves handling personal data including new staff upon induction. Regular mandatory refresher training will be carried out. The training regime will be monitored and enforced.
Mr Meehan said in a statement to The Chronicle: "The council is responsible for managing and maintaining huge amounts of personal information and we take data protection extremely seriously. I must therefore apologise that on a small number of occasions due to human error, we have fallen short of the high expectations rightly placed upon us.
"I would like to reassure everyone that we are proactively working with the Information Commissioner’s Office to put in place the actions put forward to keep personal data safe and to minimise the risk of similar incidents happening again."