The Information Commissioner’s Office (ICO) issued a reprimand to Birmingham Children’s Trust Community Interest Company (BCTCIC) for breaches of Article 5(1)(f), 32(1) and 32(2) of the UK GDPR.
BCTCIC’s Child Protection and Review Department (Department) were supporting two neighbouring families, family A and family B. Child X was part of family B. The mother of family A raised concerns with BCTCIC in relation to the interactions between her child and child X. As a result, BCTCIC created a Child Protection Plan (CP plan).
To understand how the breach occurred, it is important to first understand how BCTCIC’s put together a CP plan. There is an Initial Child Protection Conference meeting, within this meeting, various things are discussed including danger and harm to the parties involved. The notes from this initial meeting are then used by the case worker to formulate the CP plan.
In this case, the danger and harm to family A did not form part of the agenda for the initial meeting and therefore, the case worker preparing the CP plan did not have enough information to construct a danger and harm statement from the meeting notes alone. The case worker therefore accessed the minutes from a separate strategy meeting with West Midlands Police and copied the full statement into the CP plan.
On 10 November 2022, the CP plan was disclosed to family A, including the statement copies from the meeting with West Midlands Police. Sensitive criminal data and personal data relating to a child were therefore disclosed inappropriately to a third party.
The breach
Article 5(1)(f) of the UK GDPR is known as the ‘Integrity and Confidentiality Principle’. It confirms that personal data should be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Article 32(1) and (2) of the UK GDPR is in relation to the security of processing and details what measures a controller and/or processor should put in place to ensure an appropriate level of security.
The reprimand
Following their investigation, the ICO found that whilst BCTCIC did have some policies and procedures in place, these ultimately fell short. For example, BCTCIC failed to provide the ICO with clear evidence of any role-specific Standard Operating Procedures offering guidance to staff on how to apply data protection obligations to their work in a practical sense. BCTCIC heavily relied upon the standards set by Social Work England that were not specific to their staff or their roles. The ICO criticised BCTCIC for this and found that given their size and resources, they should have their own bespoke procedures in place.
The ICO did take into account the remedial steps taken by BCTCIC. They did immediately contact family A and recovered the CP plan on the same day it was disclosed. Family B were also notified of the breach and a risk assessment was conducted as a result.
Ultimately, the ICO did decide to issue a reprimand.
Within the reprimand, the ICO made some recommendations to be implemented by BCTCIC to improve its compliance with the UK GDPR, including:
- Creating Standard Operating Procedures including a process for documents to be checked independently by someone other than the author prior to disclosure;
- A redaction policy, giving staff the tools and the knowledge to redact information when necessary; and
- To consider what other processes lead to the disclosure of personal data and to put in place appropriate policies for these processes.
How can we help?
Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.
If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us