GDPR and email: minimise the transfers!
A ‘human error’ was the blame for Kent Council’s email breach. Such a situation may involve penalties ranging from a simple warning by the control authority, the ICO in this case, to fines of 20 million euros.
E-mail including contact details of more than 300 adoptive parents and some support workers were shared mistakenly by an employee. That’s not to say that the right procedures weren’t taken by Kent Council. Following the aftermath, the mistake was identified and reported to a manager, who immediately took the relevant steps according to the internal procedures. Also, an attempt was made to try and recall the email that disclosed contact details of the adoptive parents.
A lot of parents are worried and angry because of the negative impact this accidental disclosure of their confidential personal details might have if the birth families were to come across the information.
“We are all looking after vulnerable children, and many of us have concerns over birth families tracking down our children. The implications of such a data breach could be very serious.” A parent stated.
Data protection breaches are terrifying and very disruptive to the lives of adoptive parents. Not only do they put the parents’ safety at risk, but also the safety of their children.
The council has apologised to parents and pledged to improve security procedures. Good risk management will also ensure that checks and controls are in place to limit the chance for these mistakes to happen in the first place.
But, in the case of a human error such as this one, the council must go over how the breach occurred and ensure through an extensive staff training, that additional steps be taken to prevent a similar mishandling of data.
There doesn’t seem to have been any action taken by the ICO yet regarding the breach but the council said it was investigating whether the breach met the threshold required for reporting to the ICO, which in this case it clearly does.