Reading:
Nottinghamshire County Council fined £70,000 for leaving data belonging to vulnerable people exposed for 5 years
Share:
data protection

Data Leak Lawyers - Begin Your Data Breach Claim Today!

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Nottinghamshire County Council fined £70,000 for leaving data belonging to vulnerable people exposed for 5 years

The Information Commissioner’s Office (ICO) issued Nottinghamshire County Council a fine of £70,000.00 for leaving sensitive personal data exposed online for half a decade.

The watchdog discovered the council’s ‘Home Care Allocation System’ (HCAS) was shared with care home providers using a simple link that did not require a username or a password.

The system contained a lot of personal information belonging to prospective and current care home users. Created in July 2011, the council was finally alerted to the security risk when a member of the public searched for HCAS online in June 2016 and found files readily accessible and completely unrestricted.

About the leak

The unnamed individual who discovered unrestricted access to the sensitive data was horrified and noted the following:

“Should someone who would wish to prey on a vulnerable person, e.g. a thief, obtain these details it would not be very difficult for them to attend one of the streets listed, find where the carers attend and subsequently consider attempting a burglary or similar knowing the service user is very likely to be vulnerable or elderly.”

They also note the available information included whether the care home resident had been admitted to hospital recently, meaning someone could easily impersonate hospital staff and pay a ‘visit’ for illegitimate reasons.

At the time the security flaw was discovered, 81 users of care homes were reportedly listed on the HCAS directory.

Available information included:

  • Gender
  • Location (including if the user was currently in hospital)
  • Personal care needs
  • Care package requirements

A dangerous data leak

This is enough to do some serious damages; especially to elderly and vulnerable people who can be more susceptible to scams. As rightly noted by the individual who discovered the flaw, once a criminal has access into a care home under false pretences, they could easily steal money and belongings from residents who may be powerless to stop them.

Head of Enforcement of the ICO, Steve Eckersley, condemned the council’s complete disregard for the vulnerable people’s data protection and safety, saying:

“This was a serious and prolonged breach of the law. For no good reason, the council overlooked the need to put robust measures in place to protect people’s personal information, despite having the financial and staffing resources available.”

He also addressed the responsibility organisations have when it comes to data protection:

“…given the sensitive nature of the personal data and the vulnerability of the people involved, this was totally unacceptable and inexcusable. Organisations need to understand that they have to treat the security of data as seriously as they take the security of their premises or their finances.”

Nottinghamshire County Council have since taken HCAS off the public domain, but it notably took them five years and a £70,000 fine to do what they should have done when the system was first created.

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy
SRA
Contact
www.dataleaklawyers.co.uk is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon