back to article Council fined for randomly emailing personal data

Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act. The council was rapped for three separate offences. Firstly, in May last year it sent mental and physical health information on 241 individuals to the wrong group email address. Recipients included cab …


This topic is closed for new posts.
  1. Anonymous Coward

    The point of this is?

    Whats the point of this farce? One section of govt fines another section of govt and the taxpayer picks up the bill.

    Until they start fining (and sacking) the INDIVIDUALS responsible this sort of crap will go on and on and on.

    Typical (and all too common) public sector incompetence and the tossers will still have a job this time next year.

    Try landing your employer with a £120k fine in the private sector and see how long it is before you're escorted off site.

  2. Barticus

    What's the point...

    ...of fining the council...the fine will only get paid with our money. Fine the fucking idiot that sent the stuff out...and then sack them.

  3. Anonymous Coward
    Anonymous Coward

    Which will be passed on to ratepayers

    It's nice to know that those responsible receive extra staff training while the ratepayers get stuck with paying the fine.

  4. Gav

    World's worse data protection

    "The file was not encrypted or password protected."

    Cos it would have been ok if it was "password protected", wouldn't it?

    Why are we saying this as if it makes any difference to the leaked information? There really needs to be more effort from everyone to hammer the point home that as a method of security, "password protection" is as useless as locking your front door when you have no walls.

  5. Yet Another Commentard

    Pointless fines

    Firstly, why is it suitable to populate and disseminate an excel spreadsheet with sensitive data? Surely there is a better/more secure way to do that? Or if you have to, why send the spreadsheet, why not a link to some secure internal shared space? Even if the link gets out - dead URL contained in it.

    Secondly what's the point of a Government body fining another Government body? Surely the Council's bigwigs will just shrug this off, it's not their money. Why not fine the directors (or equivalent in public sector bodies) personally, each at this level. The threat of a £120,000 personal fine would mean I'd certainly tighten up all the procedures as a matter of priority.

    In the meantime, the good citizens of Surrey suffer either via a Council Tax rise to cover this, or a reduction in services to make up any shortfall. The Council itself, bar some bad publicity, is in the clear.

  6. Lionel Baden


    I dont see how shuffling funds from one goverment department to another is going to help in any way or form.

    Im guessing surreys council taxes will cover this :/

    People who are responsible need to be held to account not the pockets of the investors a.k.a the tax payer

  7. Ru

    "The council tried to recall the email"

    And here we see the problem with people using outlook/exchange internally, and not understanding the rest of the world might not work quite the same way.

    1. Martin 71 Silver badge

      I wondered

      what in the hell 'recalling mail' would be, is this the internet equivalent of getting your hand stuck in a pillar box?

      It'd HAVE to be microsoft wouldn't it

    2. Anonymous Coward

      its worse than that...

      they're a Lotus Notes organisation.

  8. The BigYin


    ...I think you mean "Taxpayers punished for civil servants' ineptitude", after all it's us who pay these fines to...err...ourselves in cases like this. Those who failed (if anyone) need to face the music, not our collective wallet.

    Oh, wait, this is the civil service. I forgot.

    Carry on!

  9. There's a bee in my bot net

    Paid the price?

    "Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."

    He means the people who live in that borough paid the price through more cuts to their local services or increases in council tax to pay the fine right?

  10. Peter Galbavy


    Until individuals are fined or punished this achieves nothing. It's simply the transfer of public money from one place to another.

  11. nsld


    To fine the council tax payer.

    Fine the pension fund of the chief executive then the council will take more notice and work to prevent this kind of stupidity.

    Fire the people who sent the emails out as well.

    Charging the public purse for the failures of individuals will achieve absolutely nothing.

  12. Al fazed

    That's what I like about

    this country. The council doesn't have the resources to train it's staff to make sure these idiocies don't occur, and the best way to deal with that is for the courts to take away more resources by fining them.

    Wouldn't it have been better if the court had ordered the council to spend that money on training, or for implementing safe guards ? Like a proof reader type person who could manually validate the post before it went out.


  13. Steven 1

    Well no....

    "Surrey County Council has been fined £120,000" - No I think you'll find that ultimately tax payers have been fined £120k.

    Don't bother giving fines to these public bodies – none of them view it as real money anyway; it's about time those responsible are strung up from the nearest lamppost and made to pay for their utter incompetence!

  14. Steven Roper
    Thumb Down

    Fining councils

    doesn't work. It only hurts the ratepayers because the council will just factor the fine into its budget and raise rates accordingly. What needs to happen is that the oiks responsible for sending the emails should be PERSONALLY fined. Then it doesn't affect the ratepayers, and the idiots responsible get an expensive lesson on why to treat other people's information with respect.

  15. andy gibson

    Stop fining councils

    They're already strapped for cash and this benefits nobody. Sack those responsible instead.

  16. Alan Brown Silver badge

    Typical Surrey incompetence

    This is just the tip of the iceberg, only that the majority of the problem doesn't involve personal data.

    The entire council has a policy of non-transparency and avoidance of responsibility. It's a wonder they didn't attempt to cover this up and threaten the people complaining to the ICO with dismissal.

  17. G C M Roberts

    Type your comment here

    Hurrah, so in short a government department has moved money from one department to another and I take it the effected parties get nothing?

  18. Anonymous Coward


    "Soon after that incident in June, the council sent a second email containing personal data on several individuals to 100 people who had registered for a council newsletter."

    Oh well I suppose they at least got their money's worth from their council tax that month!

    Honestly what the flipping heck is wrong with these dingbats? How about putting a block on the email servers that quarantines anything with attachments coming in or going out? Alright it's not perfect, but better than just sending stuff and only realising it some days later when it's way too late to be able to do anything. If someone has to release emails there is at least a "paper-trail" of responsibility.

  19. Slimster
    Thumb Down

    Who really pays the price of incompetence?

    "Information Commissioner Christopher Graham said the council had paid the price for failing to handle sensitive data appropriately or to have security measures in place."

    Oh really? You mean the council tax payers are going to pay the price in reduced services in order to meet this fine. Did anyone's head roll?

  20. Anonymous Coward

    Or more accurately...

    The taxpayers of Surrey have been fined.

  21. BristolBachelor Gold badge

    paid the price?

    "...said the council had paid the price for failing to handle sensitive data appropriately..."

    Really someone in the council should be responsible for ensuring they do the right things (even if they don't have the title 'data controller'). What happened to them? Have they had their hands cut-off? Slap on the wrist even?

    Fining the council does nothing except further punishing the people of Surrey, since there will be less money to pay for ther services.

    I'm glad to see the ICO starting to grow some teeth, but I think that they need to be bared more often, and used against PEOPLE who are the cause of the issues.

  22. Anonymous Coward

    If I were a rate-payer I'd be mad...

    ...oh, maybe I am, better check that email again.

  23. frank ly

    Not quite Correct

    " ... the council had paid the price for failing to handle sensitive data appropriately ..."

    Actually, Surrey ratepayers (poll tax..) will pay the price, in reduced spending on services or an increase in their payments next year.

    I'd like to see fines of this nature levied on executive salaries/bonuses and managerial bonuses, over a three (or so) year period. Yes, dream on, I know.

  24. Jacqui

    pork barrel

    say no more.

  25. spegru

    The council tried to recall the email?

    but was unable to verify what happened to the information.

    Are there people out there who really believe that works?

    Another MS-foisted Outlook problem.

    If public orgs realy had a clue, info like that would be on a secure server linked to users with one-time URLs , not needing to be emailed at all - just like a decent content delivery network

  26. Bumpy Cat

    Jobs on the line

    *sigh* Until people are actually made to pay for their mistakes, through disciplinary action or losing their job, this will keep happening. It's always "lessons learned" and "new procedures", but it needs each and every person handling confidential data to (1) KNOW how to secure it, and (2) THINK about possible risks.

  27. Anonymous Coward

    Bolt Horse Door

    "Surrey Council has since added an alert function when sensitive information is sent to an external email address."

    Hopefully this stops sensitive information going out rather than notifying after the fact. But how would such a function work? Does sending of an Excel spreadsheet trigger it as it's well known that it's used The Database.

  28. XMAN


    You'd think that after the first incident, they'd have got in the habit of at least using password protection.

    The newer versions of Excel (for example) encrypts a password protected file and currently the only (public) way to get to the info is by brute forcing the password. I'm talking about password locking the file, not a sheet (which is still insecure).

  29. Andy B 1
    Thumb Down

    And the net result is?

    I wonder how much effect fining a public body has? In this case it will mean that some other council service is cut or curtailed or that the future council tax will be increased, hard to see how this acts as any sort of deterrent or punishment.

  30. Anonymous Coward


    "Surrey County Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act."

    Should read:

    "Surrey Council has been fined £120,000 by the Information Commissioner's Office for breaking the Data Protection Act but no one at Surrey Council will be punished and the people of Surrey will actually pay the fine through their Council Tax."

    Poeple of Surrey, sack someone senior in the Council in a very public manner so that other Councils will learn and ensure the Executive of Surrey Council do not get a bonus this year.

  31. Anonymous Coward


    Surrey Council has since added an alert function when sensitive information is sent to an external email address. It has also improved staff training.

    Nothing to indicate they are encrypting personal data?

  32. Anonymous Coward

    "The council tried to recall the email"

    If you can recall it, it's not email.

    Want an analogy? If you're quick enough you might snatch something back out of company pigeonholes or even the "in" tray on someone's desk. But getting anything out of a post box requires at least waiting for the collector, but were I him I'd not let you without some sort of proof you put the letter in there in the first place. As for letter boxes, that'd be breaking at least if not quite entering.

    Likewise email. If you've handed the mail off to someone else's email handling machine, it's no longer in your power to recall. If you don't understand that, you really don't have business using the service. So it's not a valid argument.

  33. Jimbo 6

    'an alert function when sensitive information is sent to an external email address'

    Hopefully, it will alert *before* the information is sent ? Or will it just play a snippet of Britney's "Oops I did it again" after the event, to confirm the user is indeed a lunghead?

  34. rastansaga

    council response prediction

    Don't worry, I'm sure the council bosses will take full responsibility and more importantly, lessons have been learnt. Now, back to that golf swing...

  35. Anonymous Coward
    Thumb Down

    We need personal liability for this to work.

    Staff in bookies, pubs, off-licences and tobacconists are all personally liable for dropping a bollock. They're also worse paid.

  36. Anonymous Coward

    no surprise

    not overly surprised at this, when trying to educate council 'users' on IT security or information handling the response was 'okay we'll do it, unless it means we have to change the way we work'.

    They knew best.....

  37. Anonymous Coward
    Paris Hilton

    How much

    are they paid?/do they understand? The majority of staff on yer local council do not even understand computers let alone the security issues such as encryption. How many are 45+ yrs. old? You have local council managers applying cost cutting across the board - more "work - i.e. duties" for the same pay with little or no training. These workers do not understand exactly what the keystrokes mean ffs! They just do the job. Any confidential info.should be held on an encrypted file anyway. Local govt. is broken as far as these issues are concerned - if the high street banks can't be arsed to do anything about it, what price your local council? FFS!

    Paris - 'cos she can be arsed, allegedly...........

  38. Anonymous Coward

    That alert function in full.....

    System/ Caution : You are about to send sensitive information to

    user/ yeh, so what?

    System/ It's a Friday afternoon and you're likely to be pissed after starting the weekend early

    downt'pub, lad...

    user/ yeh, fuggit like......

  39. Anonymous Coward

    Performance related pay?

    This is what the Chief Executive's Performance Pay element is for. He has failed, and should forfeit £120K from his pay. And do the same to his line managers.

  40. Sam Therapy
    Thumb Down

    Once again, inappropriate action by ICO

    Sackings and/or jail terms are appropriate. Passing on the cost of the council's fuck up to the tax payers is not.

  41. Joseph Slabaugh
    Thumb Down

    American here

    I am not from the UK, but agree about the fines being useless, but they could just use Google Docs, and control who has access to each document or spreadsheet.

  42. Alan Brown Silver badge

    Personal responsbility

    Staff doing this should face disciplinary procedures, to understand the seriousness of the transgression - AS SHOULD THEIR MANAGERS.

    I'm glad the ICO is starting to bare its teeth but they need to go after some of the more egrarious offenders such as advertising compasnies which are still scraping data,

This topic is closed for new posts.

Other stories you might like