The ICO has ordered Wolverhampton City Council to provide adequate data protection training for its staff following a series of warnings dating back over two years.
The issue of the enforcement notice follows an investigation into a data breach at the council that occurred in January 2012 when a social worker sent a report to a former service user detailing their time in care. However the social worker, who had not received any prior data protection training, failed to remove from the report highly sensitive information about the recipient’s sister.
In December 2011, just before the breach, the ICO completed an audit with the council, which recommended the council introduce a data protection policy explaining how people’s information should be kept secure and included recommendations the council should provide mandatory staff training so that policy would be followed.
The policy was introduced in May 2013 with mandatory training for all staff scheduled to have been completed by the end of February 2014. However, the ICO discovered that the council failed to meet this deadline, with two-thirds of the council’s staff (68 percent) still having not undertaken the training.
The council must now ensure that the training is provided to all staff within 50 days of the date of the Enforcement Notice.
A copy of the enforcement notice is available here.