News that Newcastle City Council in the UK have admitted to a severe data leak has highlighted the need for compliance with the forthcoming European Union General Data Protection Regulations.
Information about 2743 individuals was sent to 77 people in an email attachment in error. The details on the attachment included the names, birth dates and addresses of adopted children, the breach being blamed on human error. In a prepared statement, the council said:
“On 15 June 2017, an employee in the council’s adoption team accidentally attached an internal spreadsheet to emails inviting adoptive parents to the council’s annual adoption summer party. The email and attachment were sent to 77 people. This attachment contained personal details relating to 2,743 individuals, comprising current and former adoptees, parents and social workers who had been involved with these families. The spreadsheet included personal information such as names, addresses and the birthdates of the adopted children.”
The council has set up a helpline to assure and try and help those people affected by the data breach and have pledged to review data protection across the council. The council’s Director of People, Ewen Weir said that the council was truly sorry for the breach and will do everything they can to support the families involved.
“I am truly sorry for the distress caused to all those affected. We will work closely with the affected families and individuals to support them at this trying time. This breach appears to have been caused by human error and a failure to follow established procedures. We are conducting a thorough review of our processes to identify what changes we can make to ensure that this never happens again.”
However, this has not reassured at least one member of the families involved. Speaking to the BBC, one lady who has adopted two children and asked not to be identified said:
“When I found out what information had been sent out I felt sick inside. We have had two letters from the council reassuring us. But I don’t feel reassured. When I got the first letter it asked me to ring a number, so I did. Fifteen times I rang throughout the day and couldn’t speak to anyone. So the next morning I started ringing again and I got to the eighth time and there was still no-one answering.”
She said she was fearful the information could find its way onto social media.
“The council can’t guarantee that everyone who got the email has deleted it or that it won’t get out further. These children were placed in care for their safety. Some have had horrendous things happen to them and you don’t want the safety of your children put at risk.There are birth parents out there that try to get in touch with their children. It just worries me that one day they could end up on the doorstep.”
From May 2018, any data breaches such as this could potentially face fines of €20m or 4% of annual turnover, whichever is greater under the European Union General Data Protection Regulations.