Burnetts logo

InfoLaw Update - Councils in Wales Fall Foul of Data Protection Laws

Following a freedom of information request from the Welsh Language news department at the BBC, it has been uncovered that local authorities in Wales have breached data protection laws more than 60 times in 2012.

Following a freedom of information request from the Welsh Language news department at the BBC, it has been uncovered that local authorities in Wales have breached data protection laws more than 60 times in 2012.

The Data Protection Act 1998 places an obligation on ‘data controllers’ to protect both ‘personal data,’ which relates to data that can make an individual easily identifiable such as salary or bank account details, and ‘sensitive personal data’ which includes information such as a person’s race or their political affiliation.

However, despite the above protections being in place for 15 years, a number of Councils in Wales have failed to operate data protection policies and procedures effectively. This has resulted in a high volume of violations of the Data Protection Act.

Most of the violations occurred by mistake, for example, when employees at the Powys Council sent personal and sensitive information to the wrong address on 12 different occasions. Cardiff Council as well was found not to be immune to breaches of the Data Protection Act when an employee there sent details of 24 people who had died to a number of third party individuals. However, this mistake was mitigated to some extent due to the fact that the Data Protection Act does not apply to the deceased.

An example of a deliberate breach occurred at Flintshire Council where an employee was disciplined for allowing his partner to deliberately access and amend personal data.

When a breach of the Data Protection Act occurs it is up to the Information Commissioner’s Office to investigate and then to decide what action to take. In relation to these incidents the Commissioner’s office said "it is vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people."

Unfortunately, mistakes do happen when it comes to the management of personal and sensitive personal data. However, you can limit or potentially stop mistakes altogether by having a clear data protection policy in place and by applying procedures effectively and efficiently. Employees who handle all types of personal data should be properly trained on the obligations they are under to protect personal data regularly. Indeed, the Information Commissioner’s Office went one step further in the case of the Welsh Councils by saying that the authorities must "bring about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature."

About the author

Natalie Ruane profile photo

Natalie Ruane

Natalie leads the Employment Law & HR team and specialises in education.

Published: Tuesday 20th August 2013
Categorised: Information Law

All Factsheets