Welsh councils broke data protection laws 60 times

Image caption Seven of the 22 local authorities said they had recorded no breaches last year

Local authorities in Wales broke data protection laws over 60 times in 2012, BBC Wales has learned.

In one case a worker allowed their partner to access and amend personal data.

There were also several cases of posting personal data on websites, and an e-mail which accidentally disclosed sensitive details of 24 dead people.

The Information Commissioner's Office (ICO) called for effective data handling to become second nature.

Seven of the 22 local authorities said they had recorded no breaches last year.

BBC Wales' Welsh-language news website Newyddion Ar-lein obtained the information in a Freedom of Information request.

The ICO was informed about "several incidents" in Anglesey council in 2012 in which documents including personal data "were either disclosed or disposed of inappropriately, or there was a risk of unauthorised access".

After an investigation, the ICO said that the council's guidelines on data protection were insufficient and the chief executive committed to making improvements.

An Anglesey council spokesperson said: "In order to secure improvements, we have recently established a corporate information governance project board to embed and improve a culture of data protection compliance throughout the whole organisation."

The 17 breaches in Powys council included five internal cases of misdirecting information, and 12 cases of sending information to the wrong address, recording wrong personal data in correspondence, and placing personal data on the council's website. Disciplinary procedures were taken against one staff member.

There were seven cases recorded in Cardiff council. Among them were a member of staff accidentally sending an email to a number of third party individuals - including Cardiff council employees, Vale of Glamorgan council and individuals in the NHS - which accidentally disclosed sensitive details of 24 dead people. However, the Data Protection Act does not apply to the deceased.

Also in Cardiff council, a worker sent an e-mail with sensitive personal data to the wrong person internally and a planning file containing personal data was lost.

There were seven cases in Wrexham Council. On two occasions the social services department mistakenly shared information with a third party; e-mail addresses of subscribers to the housing department portal were shared by mistake, and the council failed to respond to a request for data within the necessary 40 days four times.

Four cases were recorded in Flintshire council. Disciplinary action was taken against one worker who allowed a partner to access and amend personal data.

In addition, two committee reports which included personal data were mistakenly published on the website, a letter about children's services was sent to the wrong house, and a CD with personal data was lost.

Five cases were reported in Newport council, and two workers were given final written warnings.

Gwynedd council said that none of the data involved in its five breaches was sensitive, while in Caerphilly council further training was provided after three cases in which personal data was mistakenly revealed.

In Conwy "several cases" were recorded of missing data, involving e-mails, faxes and letters being misdirected, and information being stolen from vehicles and property.

There were two breaches in Carmarthenshire council. A private company was used to send a circular to each member of the Dyfed Pension Fund. It printed members' national insurance number on each envelope, and accepted full responsibility for the mistake. In addition, the council failed to respond to a request for information within the 40 statutory days.

There was one breach in Pembrokeshire council in 2012 when information regarding planning enforcement was published in error on its website, while Bridgend council also recorded one breach when a mobile phone which had personal data about service users was lost for some hours.

The single breach in Ceredigion council occurred when a letter to an employee was sent to the wrong address, and also one breach in Denbighshire council involving personal information being sent to the wrong person.

In Neath Port Talbot council, a breach occurred when referral forms involving three prospective service users were stolen from a service provider commissioned by the council.

There were no breaches in 2012 in Blaenau Gwent, Merthyr Tydfil, Monmouthshire, Rhondda Cynon Taf, Torfaen, Swansea and the Vale of Glamorgan.

The Information Commissioner's Office said: "It's vital that local authorities properly live up to their legal responsibility to keep personal data secure, particularly where it is sensitive information about children and young people.

"Our concern isn't just that councils have the right policies and procedures in place; it's about bringing about a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature."

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites